Return-Path: <issues-return-10983-archive-asf-public=cust-asf.ponee.io@flex.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 7E6E8200BC3
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu,  3 Nov 2016 19:52:16 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 7D27F160AE5; Thu,  3 Nov 2016 18:52:16 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id EAF14160B0B
	for <archive-asf-public@cust-asf.ponee.io>; Thu,  3 Nov 2016 19:52:15 +0100 (CET)
Received: (qmail 76613 invoked by uid 500); 3 Nov 2016 18:52:15 -0000
Mailing-List: contact issues-help@flex.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@flex.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@flex.apache.org>
List-Post: <mailto:issues@flex.apache.org>
List-Id: <issues.flex.apache.org>
Reply-To: dev@flex.apache.org
Delivered-To: mailing list issues@flex.apache.org
Received: (qmail 76380 invoked by uid 99); 3 Nov 2016 18:52:15 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 Nov 2016 18:52:15 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id D395F2C2AB6
	for <issues@flex.apache.org>; Thu,  3 Nov 2016 18:51:59 +0000 (UTC)
Date: Thu, 3 Nov 2016 18:51:59 +0000 (UTC)
From: "Aron Nopanen (JIRA)" <jira@apache.org>
To: issues@flex.apache.org
Message-ID: <JIRA.13000493.1472240146000.177086.1478199119863@Atlassian.JIRA>
In-Reply-To: <JIRA.13000493.1472240146000@Atlassian.JIRA>
References: <JIRA.13000493.1472240146000@Atlassian.JIRA> <JIRA.13000493.1472240146761@arcas>
Subject: [jira] [Commented] (FLEX-35123) DOM XSS vulnerability in history.js
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Thu, 03 Nov 2016 18:52:16 -0000


    [ https://issues.apache.org/jira/browse/FLEX-35123?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15633815#comment-15633815 ] 

Aron Nopanen commented on FLEX-35123:
-------------------------------------

I'm happy to be in the CONTRIBUTORS list; thanks for accepting the patch!

> DOM XSS vulnerability in history.js
> -----------------------------------
>
>                 Key: FLEX-35123
>                 URL: https://issues.apache.org/jira/browse/FLEX-35123
>             Project: Apache Flex
>          Issue Type: Bug
>            Reporter: Aron Nopanen
>            Assignee: Justin Mclean
>             Fix For: Apache Flex 4.16.0
>
>         Attachments: 0001-Address-DOM-XSS-vulnerability.patch
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> Template file history.js contains a DOM XSS vulnerability. While it looks like it would be difficult to exploit, it should be addressed.
> The code in question is in a block specific to ancient versions of Safari (<= 2.0.4), so I propose that block could safely be removed entirely.
> The vulnerable line is:
> getFormElement().innerHTML = '<form name="historyForm" action="'+file+'#' + flexAppUrl + '" method="GET"></form>';
> The variables 'file' and 'flexAppUrl' are being passed unescaped into HTML subcontext.
> I'm attaching a patch that would remove the Safari-specific handling, including the vulnerable line.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)