Hi,
I think there is another vulnerability in the datefield.js script. It can
happen, in the ajax response, when you select a date from the calendar.
(please, refer to the last patch on
https://issues.apache.org/jira/browse/TAP5-1057. Still need to replace
escape function by String.escapeHTML as you've suggested)
To reproduce the xss attack, our client uses a proxy. After selecting a date
from the calendar, modify the url by adding a js code at the end (the
resulted url looks like http
://server:port/context/pagename.componentid:format?input=1268652856000""><script>alert("T5
is great!");</script>)
drobiazko wrote:
>
> Author: drobiazko
> Date: Thu Apr 29 19:55:34 2010
> New Revision: 939469
>
> URL: http://svn.apache.org/viewvc?rev=939469&view=rev
> Log:
> TAP5-1057: XSS vulnerability in calendar component
>
> Modified:
>
> tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js
>
> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/FormTests.java
>
> Modified:
> tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js
> URL:
> http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js?rev=939469&r1=939468&r2=939469&view=diff
> ==============================================================================
> ---
> tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js
> (original)
> +++
> tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js
> Thu Apr 29 19:55:34 2010
> @@ -48,7 +48,7 @@ Tapestry.DateField = Class.create( {
> }
> }
>
> - var value = $F(this.field);
> + var value = $F(this.field).escapeHTML();
>
> if (value == "") {
> this.datePicker.setDate(null);
>
> Modified:
> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/FormTests.java
> URL:
> http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/FormTests.java?rev=939469&r1=939468&r2=939469&view=diff
> ==============================================================================
> ---
> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/FormTests.java
> (original)
> +++
> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/FormTests.java
> Thu Apr 29 19:55:34 2010
> @@ -231,6 +231,19 @@ public class FormTests extends TapestryC
>
> clickAndWait("link=english");
> }
> +
> + // TAP5-1057
> + @Test
> + public void xss_datefield()
> + {
> + clickThru("DateField Demo", "clear", "english");
> +
> + type("asteroidImpact", "<script>alert('T5 is great');
> </script>");
> +
> + click("id=asteroidImpact-trigger");
> +
> + assertBubbleMessage("asteroidImpact", "Unparseable date:
> \"<script>alert('T5 is great'); </script>\"");
> + }
>
> @Test
> public void event_based_translate() throws Exception
>
>
>
>
--
View this message in context:
http://old.nabble.com/svn-commit%3A-r939469---in--tapestry-tapestry5-trunk-tapestry-core-src%3A-main-resources-org-apache-tapestry5-corelib-components-datefield.js-test-java-org-apache-tapestry5-integration-app1-FormTests.java-tp28405123p28409620.html
Sent from the Tapestry - Dev mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
