Return-Path: <issues-return-10764-archive-asf-public=cust-asf.ponee.io@flex.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 23A43200B7D
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Fri, 26 Aug 2016 21:37:22 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 2224D160A94; Fri, 26 Aug 2016 19:37:22 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 96369160AB6
	for <archive-asf-public@cust-asf.ponee.io>; Fri, 26 Aug 2016 21:37:21 +0200 (CEST)
Received: (qmail 70972 invoked by uid 500); 26 Aug 2016 19:37:20 -0000
Mailing-List: contact issues-help@flex.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@flex.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@flex.apache.org>
List-Post: <mailto:issues@flex.apache.org>
List-Id: <issues.flex.apache.org>
Reply-To: dev@flex.apache.org
Delivered-To: mailing list issues@flex.apache.org
Received: (qmail 70719 invoked by uid 99); 26 Aug 2016 19:37:20 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 26 Aug 2016 19:37:20 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id 7D26E2C0154
	for <issues@flex.apache.org>; Fri, 26 Aug 2016 19:37:20 +0000 (UTC)
Date: Fri, 26 Aug 2016 19:37:20 +0000 (UTC)
From: "Aron Nopanen (JIRA)" <jira@apache.org>
To: issues@flex.apache.org
Message-ID: <JIRA.13000493.1472240146000.423412.1472240240509@Atlassian.JIRA>
In-Reply-To: <JIRA.13000493.1472240146000@Atlassian.JIRA>
References: <JIRA.13000493.1472240146000@Atlassian.JIRA> <JIRA.13000493.1472240146761@arcas>
Subject: [jira] [Updated] (FLEX-35123) DOM XSS vulnerability in history.js
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Fri, 26 Aug 2016 19:37:22 -0000


     [ https://issues.apache.org/jira/browse/FLEX-35123?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Aron Nopanen updated FLEX-35123:
--------------------------------
    Attachment: 0001-Address-DOM-XSS-vulnerability.patch

> DOM XSS vulnerability in history.js
> -----------------------------------
>
>                 Key: FLEX-35123
>                 URL: https://issues.apache.org/jira/browse/FLEX-35123
>             Project: Apache Flex
>          Issue Type: Bug
>            Reporter: Aron Nopanen
>         Attachments: 0001-Address-DOM-XSS-vulnerability.patch
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> Template file history.js contains a DOM XSS vulnerability. While it looks like it would be difficult to exploit, it should be addressed.
> The code in question is in a block specific to ancient versions of Safari (<= 2.0.4), so I propose that block could safely be removed entirely.
> The vulnerable line is:
> getFormElement().innerHTML = '<form name="historyForm" action="'+file+'#' + flexAppUrl + '" method="GET"></form>';
> The variables 'file' and 'flexAppUrl' are being passed unescaped into HTML subcontext.
> I'm attaching a patch that would remove the Safari-specific handling, including the vulnerable line.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)