tapestry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (TAP5-1442) XSS vulnerability in calendar component
Date Wed, 19 Oct 2011 17:39:11 GMT

    [ https://issues.apache.org/jira/browse/TAP5-1442?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13130804#comment-13130804
] 

Hudson commented on TAP5-1442:
------------------------------

Integrated in tapestry-trunk-freestyle #590 (See [https://builds.apache.org/job/tapestry-trunk-freestyle/590/])
    TAP5-1442: XSS vulnerability in calendar component

hlship : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1186329
Files : 
* /tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js

                
> XSS vulnerability in calendar component
> ---------------------------------------
>
>                 Key: TAP5-1442
>                 URL: https://issues.apache.org/jira/browse/TAP5-1442
>             Project: Tapestry 5
>          Issue Type: Bug
>          Components: tapestry-core
>    Affects Versions: 5.2.4
>            Reporter: Emmanuel DEMEY
>            Assignee: Howard M. Lewis Ship
>             Fix For: 5.3
>
>         Attachments: datefield_5_2_4_xss_fix.js, datefield_js.patch
>
>
> All the XSS Vulnerabiliy (described here : https://issues.apache.org/jira/browse/TAP5-1057)
is not solved.
> When we use a Software like Paros, we can change the value of Ajax Request parameters.

> We can run javascript code. 
> I did  a patch this morning. I just added the escapeHTML function in both of the errorHandler
methods. 
> Emmanuel

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message