[jira] [Created] (DELTASPIKE-1389) Sanitizing of dswid imperfect (XSS, security)

Matthias Walliczek (Jira) Wed, 09 Oct 2019 23:17:28 -0700

Matthias Walliczek created DELTASPIKE-1389:
----------------------------------------------


             Summary: Sanitizing of dswid imperfect (XSS, security)
                 Key: DELTASPIKE-1389
                 URL: https://issues.apache.org/jira/browse/DELTASPIKE-1389
             Project: DeltaSpike
          Issue Type: Bug
          Components: JSF-Module
    Affects Versions: 1.9.1
            Reporter: Matthias Walliczek


Despide that it was improving in 
https://issues.apache.org/jira/browse/DELTASPIKE-1307, the sanitizing of the 
dswid parameter is still imperfect.

PoC: request a page with "xzy.jsf?dswid=',danger,'" will render "danger" as 
variable into the javascript code.

Solution: Instead of filtering "(", "<" and "&" as a black list attempt which 
is not recommended by the OWASP, only numeric characters and "-" should be 
allowed as white list approach.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (DELTASPIKE-1389) Sanitizing of dswid imperfect (XSS, security)

Reply via email to