[Dspace-devel] [DuraSpace JIRA] (DS-1702) XSS injection possible on collection home page for JSPUI

Tim Donohue (DuraSpace JIRA) Wed, 30 Apr 2014 12:46:16 -0700

Title: Message Title

Tim Donohue commented on an issue

Andrea, any activity on this? Should this be rescheduled for 5.0?

Add Comment

DSpace /

DS-1702

On the collection home page in JSPUI, there is a list of recent submissions that lists the titles of few items in the collection.

The title strings do not pass Java's addEntities method and embeded _javascript_/css will be evaluated by the browser.

To fix, add "Utils.addEntities" to "dcv[0].value" in "collection-home.jsp"

This message was sent by Atlassian JIRA

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get 
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs

_______________________________________________
Dspace-devel mailing list
Dspace-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-devel

[Dspace-devel] [DuraSpace JIRA] (DS-1702) XSS injection possible on collection home page for JSPUI

Reply via email to