[ https://issues.apache.org/jira/browse/TAP5-1057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Igor Drobiazko reassigned TAP5-1057: ------------------------------------ Assignee: Igor Drobiazko > XSS vulnerability in calendar component > --------------------------------------- > > Key: TAP5-1057 > URL: https://issues.apache.org/jira/browse/TAP5-1057 > Project: Tapestry 5 > Issue Type: Bug > Components: tapestry-core > Affects Versions: 5.1.0.5 > Reporter: François Facon > Assignee: Igor Drobiazko > Attachments: datefield_js.patch, datefield_js.patch > > > The calendar component provided in tapestry 5.1.0.5 could be used to allow > code injection by malicious web users into any page that uses datefield . > To reproduce the vulnerability, put js code like <script>alert("T5 is > great"); </script> in any datefield and click on the related calendar bitma > After quick search in the DateField.js, it seems like the field value is not > escaping > escaping with a change like var value = escape($F(this.field)); the field > value seems solve this vulnerability. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.