[
https://issues.apache.org/jira/browse/CXF-7128?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daniel Kulp updated CXF-7128:
-----------------------------
Fix Version/s: (was: NeedMoreInfo)
> Review the possibility of using OWASP Sanitizer in FormattedServiceListWriter
> -----------------------------------------------------------------------------
>
> Key: CXF-7128
> URL: https://issues.apache.org/jira/browse/CXF-7128
> Project: CXF
> Issue Type: Improvement
> Components: Transports
> Reporter: Sergey Beryozkin
>
> https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project project
> (and related projects) offer a number of ways to protect against XSS.
> Right now CXF ServletController uses BaseUrlHelper to recreate an absolute
> URL it listens upon, by removing all the matrix parameters which were shown
> to pose a risk (CXF-6216).
> The question is: is CXF-6216 fix sufficient or some more formal approach is
> needed.
> My own opinion right now is that a CXF-6216 fix is good and there's no
> obvious need to add another library unless a new concrete attack is
> discovered.
> CXF-6216 fix results in all the matrix parameters, if any, being removed. The
> encoding approach will keep them in the encoded form in service URIs which
> will be shown to the user.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
