cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Kulp (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CXF-7128) Review the possibility of using OWASP Sanitizer in FormattedServiceListWriter
Date Fri, 24 Mar 2017 17:57:41 GMT

     [ https://issues.apache.org/jira/browse/CXF-7128?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Daniel Kulp updated CXF-7128:
-----------------------------
    Fix Version/s:     (was: NeedMoreInfo)

> Review the possibility of using OWASP Sanitizer in FormattedServiceListWriter
> -----------------------------------------------------------------------------
>
>                 Key: CXF-7128
>                 URL: https://issues.apache.org/jira/browse/CXF-7128
>             Project: CXF
>          Issue Type: Improvement
>          Components: Transports
>            Reporter: Sergey Beryozkin
>
> https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project project (and related
projects) offer a number of ways to protect against XSS.
> Right now CXF ServletController uses BaseUrlHelper to recreate an absolute URL it listens
upon, by removing all the matrix parameters which were shown to pose a risk (CXF-6216). 
> The question is: is CXF-6216 fix sufficient or some more formal approach is needed. 
> My own opinion right now is that a CXF-6216 fix is good and there's no obvious need to
add another library unless a new concrete attack is discovered. 
> CXF-6216 fix results in all the matrix parameters, if any, being removed. The encoding
approach will keep them in the encoded form in service URIs which will be shown to the user.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message