Good afternoon, I'm a security researcher utilizing the CodeQL code analysis tool from GitHub to run queries against open-source projects to check security vulnerabilities.
When I checked CVE-2017-17837 "XSS injection leak in the windowId handling" with the Apache DeltaSpike-JSF 1.8.0 module, I noticed a second issue of the same category in the same program <https://github.com/apache/deltaspike/blob/master/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java> : Lines 98-99 ( https://github.com/apache/deltaspike/blob/4e2502358526b944fc5514c206d306e97ff271bb/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java#L98-L99) have: <code> Cookie servletCookie = (Cookie) cookie; writer.write(",'initialRedirectWindowId':'" + secureWindowId(servletCookie.getValue()) + "'"); </code> As cookie value can be manipulated by end users and attackers therefore XSS attacks can be injected there, shall <code>writer.write</code> be changed to <code>writer.writeText</code> similar to the change on line 81 <code> writer.writeText(windowId, null);</code>? The webpage <https://deltaspike.apache.org/community.html> says I'd better ask on the mailing list before submitting a Jira request. Please investigate this issue and advise on whether this is a valid security vulnerability and a Jira request shall be submitted or not. Thanks, luchua
