[
https://issues.apache.org/jira/browse/JS2-1075?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ate Douma updated JS2-1075:
---------------------------
Fix Version/s: 2.2.1
2.1.4
> possible cross site scripting during login
> ------------------------------------------
>
> Key: JS2-1075
> URL: https://issues.apache.org/jira/browse/JS2-1075
> Project: Jetspeed 2
> Issue Type: Bug
> Components: Security
> Environment: all env
> Reporter: radko keves
> Fix For: 2.1.4, 2.2.1
>
>
> user can specify during login script, which isn't html escaped in
> WEB-INF/templates/login/html/login.jsp page
> solution, escapeHtml input strings, like this:
> <%
> String ln = "";
> String pa = "";
> Object ln_o = session.getAttribute(LoginConstants.USERNAME);
> Object pa_o = session.getAttribute(LoginConstants.PASSWORD);
> if (ln_o != null) ln = (String)ln_o;
> if (pa_o != null) pa = (String)pa_o;
> %>
> <input type='hidden' name='j_username' value='<%=
> StringEscapeUtils.escapeHtml(ln) %>'/>
> <input type='hidden' name='j_password' value='<%=
> StringEscapeUtils.escapeHtml(pa) %>'/>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
