possible cross site scripting during login
------------------------------------------
Key: JS2-1075
URL: https://issues.apache.org/jira/browse/JS2-1075
Project: Jetspeed 2
Issue Type: Bug
Components: Security
Environment: all env
Reporter: radko keves
user can specify during login script, which isn't html escaped in
WEB-INF/templates/login/html/login.jsp page
solution, escapeHtml input strings, like this:
<%
String ln = "";
String pa = "";
Object ln_o = session.getAttribute(LoginConstants.USERNAME);
Object pa_o = session.getAttribute(LoginConstants.PASSWORD);
if (ln_o != null) ln = (String)ln_o;
if (pa_o != null) pa = (String)pa_o;
%>
<input type='hidden' name='j_username' value='<%=
StringEscapeUtils.escapeHtml(ln) %>'/>
<input type='hidden' name='j_password' value='<%=
StringEscapeUtils.escapeHtml(pa) %>'/>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
