[ https://issues.apache.org/jira/browse/FELIX-6128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16836360#comment-16836360 ]
Ashok Kumar commented on FELIX-6128: ------------------------------------ New patch - escape_bundle_name_and_other_manifest_headers.patch , which takes care of manifest headers listing along with bundle name. > Issue in the bundle Web Console > ------------------------------- > > Key: FELIX-6128 > URL: https://issues.apache.org/jira/browse/FELIX-6128 > Project: Felix > Issue Type: Bug > Components: Web Console > Reporter: Antonio Sanso > Assignee: Karl Pauls > Priority: Major > Attachments: escape_bundle_name_and_other_manifest_headers.patch, > image002.png, image003.png > > > RunningSnail reported an XSS issue in the bundle Web Console. > After logining,I visit the page whose url is > http://127.0.0.1:8080/system/console/bundles. > Then I click "Install/Update" and before uploading a jar file,I change the > content of the "MANIFEST.MF" in the jar file. > So when an admin visit the page,he will be affected by the stored xss. > See attached images -- This message was sent by Atlassian JIRA (v7.6.3#76005)