[ 
https://issues.apache.org/jira/browse/DELTASPIKE-1401?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mark Struberg resolved DELTASPIKE-1401.
---------------------------------------
    Resolution: Fixed

> Multiple XSS issues in ClientSideWindowStrategy
> -----------------------------------------------
>
>                 Key: DELTASPIKE-1401
>                 URL: https://issues.apache.org/jira/browse/DELTASPIKE-1401
>             Project: DeltaSpike
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: JSF-Module
>    Affects Versions: 1.8.2, 1.9.2
>            Reporter: Christian Beikov
>            Assignee: Christian Beikov
>            Priority: Blocker
>             Fix For: 1.9.3
>
>
> In 
> {{org.apache.deltaspike.jsf.impl.scope.window.strategy.ClientSideWindowStrategy#sendWindowHandlerHtml}}
>  the request URL and window id is injected into a JS block and HTML attribute 
> directly. This allows to inject any JS/HTML from the URL.
> The fix would be to properly escape the URL and window id such that it can be 
> integrated safely into a JS variable or HTML.
> Assuming we add a dependency for the OWASP encoder:
> {code:java}
> <dependency>
>     <groupId>org.owasp.encoder</groupId>
>     <artifactId>encoder</artifactId>
>     <version>1.2.2</version>
> </dependency>
> {code}
>  
> The fix is to do the following replacements
> {code:java}
> windowHandlerHtml = windowHandlerHtml.replace(WINDOW_ID_REPLACE_PATTERN,
>         windowId);
> {code}
> with
> {code:java}
> windowHandlerHtml = windowHandlerHtml.replace(WINDOW_ID_REPLACE_PATTERN,
>         org.owasp.encoder.Encode.forJavaScriptBlock(windowId));
> {code}
>  
> and
> {code:java}
> windowHandlerHtml = windowHandlerHtml.replace(REQUEST_URL_REPLACE_PATTERN,
>         ClientWindowHelper.constructRequestUrl(externalContext));
> {code}
> with
> {code:java}
> windowHandlerHtml = windowHandlerHtml.replace(REQUEST_URL_REPLACE_PATTERN,
>         org.owasp.encoder.Encode.forJavaScriptBlock(
>                 
> ClientWindowHelper.constructRequestUrl(externalContext)));{code}
>  
> and
> {code:java}
> windowHandlerHtml =
>         windowHandlerHtml.replace(NOSCRIPT_URL_REPLACE_PATTERN, 
> getNoscriptUrl(externalContext));
> {code}
> with
> {code:java}
> windowHandlerHtml =
>         windowHandlerHtml.replace(NOSCRIPT_URL_REPLACE_PATTERN, 
> org.owasp.encoder.Encode.forHtmlAttribute(getNoscriptUrl(externalContext)));
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to