[
https://issues.apache.org/jira/browse/VELTOOLS-126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Osipov updated VELTOOLS-126:
------------------------------------
Fix Version/s: (was: 3.0)
> XSS Vulnerability when using struts/ErrorsTool.getMsgs
> ------------------------------------------------------
>
> Key: VELTOOLS-126
> URL: https://issues.apache.org/jira/browse/VELTOOLS-126
> Project: Velocity Tools
> Issue Type: Bug
> Components: VelocityStruts
> Affects Versions: 1.4, 2.x
> Environment: Identified in velocity-tools 1.4, verified by reading
> code in trunk.
> Reporter: Christopher Schultz
> Priority: Major
>
> The code for ErrorsTool.getMsgs goes roughly like this:
> String message = message("errors.header");
> foreach(error) {
> message += message("errors.prefix") + error + message("errors.suffix")
> message += message("errors.footer")
> return message;
> This is easily open to an XSS attack when an error message contains user
> input.
> Honestly, I'm not entirely sure if we should even do anything about this,
> because the ErrorsTool is not strictly for use in an HTML context, so
> escaping the error message itself may not be appropriate. Also, the message
> itself may contain markup which the developer wants to remain, while the user
> input should be escaped.
> It's possible that the solution to this problem is to put a big warning on
> the tool that XSS attacks are very easy using this tool.
> I've been running with it for years, and didn't notice until today. I
> replaced my use of errors.getMsgs with this:
> $!msg.errors.header
> #foreach($error in $errors.get($fieldName))
> $!msg.errors.prefix#htmlEscape($error)$!msg.errors.suffix
> #end
> $!msg.errors.header
> ...which is appropriate for my uses, but might not work for everyone.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
