[ https://issues.apache.org/jira/browse/VELTOOLS-126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michael Osipov updated VELTOOLS-126: ------------------------------------ Fix Version/s: (was: 3.0) > XSS Vulnerability when using struts/ErrorsTool.getMsgs > ------------------------------------------------------ > > Key: VELTOOLS-126 > URL: https://issues.apache.org/jira/browse/VELTOOLS-126 > Project: Velocity Tools > Issue Type: Bug > Components: VelocityStruts > Affects Versions: 1.4, 2.x > Environment: Identified in velocity-tools 1.4, verified by reading > code in trunk. > Reporter: Christopher Schultz > Priority: Major > > The code for ErrorsTool.getMsgs goes roughly like this: > String message = message("errors.header"); > foreach(error) { > message += message("errors.prefix") + error + message("errors.suffix") > message += message("errors.footer") > return message; > This is easily open to an XSS attack when an error message contains user > input. > Honestly, I'm not entirely sure if we should even do anything about this, > because the ErrorsTool is not strictly for use in an HTML context, so > escaping the error message itself may not be appropriate. Also, the message > itself may contain markup which the developer wants to remain, while the user > input should be escaped. > It's possible that the solution to this problem is to put a big warning on > the tool that XSS attacks are very easy using this tool. > I've been running with it for years, and didn't notice until today. I > replaced my use of errors.getMsgs with this: > $!msg.errors.header > #foreach($error in $errors.get($fieldName)) > $!msg.errors.prefix#htmlEscape($error)$!msg.errors.suffix > #end > $!msg.errors.header > ...which is appropriate for my uses, but might not work for everyone. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org