[ https://issues.apache.org/jira/browse/FELIX-6128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16836303#comment-16836303 ]
Karl Pauls commented on FELIX-6128: ----------------------------------- Hi [~ashokpanghal], thanks a lot for looking into this - yes, I think we should have a look at all headers and see where it makes sense to escape them. > Issue in the bundle Web Console > ------------------------------- > > Key: FELIX-6128 > URL: https://issues.apache.org/jira/browse/FELIX-6128 > Project: Felix > Issue Type: Bug > Components: Web Console > Reporter: Antonio Sanso > Priority: Major > Attachments: escape_bundle_name.patch, image002.png, image003.png > > > RunningSnail reported an XSS issue in the bundle Web Console. > After logining,I visit the page whose url is > http://127.0.0.1:8080/system/console/bundles. > Then I click "Install/Update" and before uploading a jar file,I change the > content of the "MANIFEST.MF" in the jar file. > So when an admin visit the page,he will be affected by the stored xss. > See attached images -- This message was sent by Atlassian JIRA (v7.6.3#76005)