XSS vulnerability in calendar component (apply to 5.1.0.x) ----------------------------------------------------------
Key: TAP5-1262 URL: https://issues.apache.org/jira/browse/TAP5-1262 Project: Tapestry 5 Issue Type: Bug Components: tapestry-core Affects Versions: 5.1.0.5 Reporter: Christophe Cordenier Assignee: Christophe Cordenier Fix For: 5.2.0 The calendar component provided in tapestry 5.1.0.5 could be used to allow code injection by malicious web users into any page that uses datefield . To reproduce the vulnerability, put js code like <script>alert("T5 is great"); </script> in any datefield and click on the related calendar bitma After quick search in the DateField.js, it seems like the field value is not escaping escaping with a change like var value = escape($F(this.field)); the field value seems solve this vulnerability. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.