[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16698646#comment-16698646
]
Bernd Bohmann commented on MYFACES-4266:
----------------------------------------
This is a really critical part.
> Ajax update fails due to invalid characters in response XML (DoS)
> -----------------------------------------------------------------
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
> Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
> Reporter: cnsgithub
> Priority: Major
> Fix For: 2.0.25, 2.1.19, 2.2.13, 2.3.3, 3.0.0-SNAPSHOT
>
>
> I noticed that the {{<f:ajax />}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
