Joshua Hodge created TAP5-2685:
----------------------------------
Summary: XSS reflection in AssetDispatcher 404 response
Key: TAP5-2685
URL: https://issues.apache.org/jira/browse/TAP5-2685
Project: Tapestry 5
Issue Type: Bug
Components: tapestry-core
Affects Versions: 5.7.2
Reporter: Joshua Hodge
If you try and go to an invalid asset URL and put a <script> tag in the URL,
the AssetDispatcher sends a 404 error response with the raw path as the error
message. This causes the script to be executed when the browser displays the
404 page.
An example URI path would be:
*
/assets/e050db57533420555849da94aa7e042981598b81/publicke4p0<script>alert('Reflected-XSS')</script>r3974/combined.js
The raw incoming path should be HTML escaped before sending it as the body of
the error response.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
