[
https://issues.apache.org/jira/browse/ISIS-884?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14130042#comment-14130042
]
ASF subversion and git services commented on ISIS-884:
------------------------------------------------------
Commit df57029118c3d796a120c24a704c50c95b3d4296 in isis's branch
refs/heads/master from [~danhaywood]
[ https://git-wip-us.apache.org/repos/asf?p=isis.git;h=df57029 ]
ISIS-884: to avoid possibility of XSS attachs, removing use of
setEscapeModelStrings(false) anywhere that the content is dynamic (error
messages etc).
Also, for JGrowl based messages, also explicitly calling Wicket's
Strings.escapeHtml (the same underlying method that the default escaping does).
> ErrorPage vulnerable to XSS attacks.
> ------------------------------------
>
> Key: ISIS-884
> URL: https://issues.apache.org/jira/browse/ISIS-884
> Project: Isis
> Issue Type: Bug
> Components: Viewer: Wicket
> Affects Versions: viewer-wicket-1.6.0
> Reporter: Dan Haywood
> Assignee: Dan Haywood
> Priority: Blocker
> Fix For: viewer-wicket-1.7.0
>
>
> The default error page
> (org.apache.isis.viewer.wicket.ui.pages.error.ErrorPage) is vulnerable to XSS
> via org.apache.isis.viewer.wicket.ui.errors.ExceptionStackTracePanel
> In the constructor of ExceptionStackTracePanel, it adds a Label with the
> exception message and calls setEscapeModelStrings(false)
> This means any URL that a URL be constructed to reference an entity with
> Javascript inserted where the OID should be and an exception is thrown with
> the Javascript code inserted in to the message.
> This is then written to the page un-escaped to be executed in the users
> session.
> It is made worse by the bookmarkable feature (I think that's what does this),
> where an attacker can navigate to a crafted URL on a user's PC, if they don't
> close all of their browser windows before the session times out, when they
> log in they will be redirected to the crafted URL.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
