[ https://issues.apache.org/jira/browse/FELIX-6128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16836301#comment-16836301 ]
Ashok Kumar commented on FELIX-6128: ------------------------------------ [~asanso] , [~karlpauls] , Should we escape the Manifest Headers (either selectively for Name or for all header values) coming from listHeaders [0] ? These are being used on bundles' detailed view [ [0] [https://github.com/apache/felix/blob/trunk/webconsole/src/main/java/org/apache/felix/webconsole/internal/core/BundlesServlet.java#L1158-L1175] > Issue in the bundle Web Console > ------------------------------- > > Key: FELIX-6128 > URL: https://issues.apache.org/jira/browse/FELIX-6128 > Project: Felix > Issue Type: Bug > Components: Web Console > Reporter: Antonio Sanso > Priority: Major > Attachments: escape_bundle_name.patch, image002.png, image003.png > > > RunningSnail reported an XSS issue in the bundle Web Console. > After logining,I visit the page whose url is > http://127.0.0.1:8080/system/console/bundles. > Then I click "Install/Update" and before uploading a jar file,I change the > content of the "MANIFEST.MF" in the jar file. > So when an admin visit the page,he will be affected by the stored xss. > See attached images -- This message was sent by Atlassian JIRA (v7.6.3#76005)