[ https://issues.apache.org/jira/browse/SLING-2427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Carl Hall updated SLING-2427: ----------------------------- Description: When using HtmlRendererServlet to return content in an HTML format, it is possible to inject arbitrary HTML into the returned page. To reproduce: 1. Add a node of content * curl -u admin:admin -F test=true http://localhost:8080/test_node 2. Get the new node in HTML format and append extra data to the URL * http://localhost:8080/test_node.html/<font size='88' color='red'>VOTE SLING</font><iframe height=800 width=600 src='http://www.uva.nl' /></iframe> JIRA will escape the above URL. The unescaped URL is here: http://pastie.org/3451245 was: When using HtmlRendererServlet to return content in an HTML format, it is possible to inject arbitrary HTML into the returned page. To reproduce: 1. Add a node of content * curl -u admin:admin -F test=true http://localhost:8080/test_node 2. Get the new node in HTML format and append extra data to the URL * http://localhost:8080/test_node.html/<font size='88' color='red'>VOTE SLING</font><iframe height=800 width=600 src='http://www.uva.nl' /></iframe> > HtmlRendererServlet allows outputting arbitrary HTML > ---------------------------------------------------- > > Key: SLING-2427 > URL: https://issues.apache.org/jira/browse/SLING-2427 > Project: Sling > Issue Type: Bug > Components: Servlets > Affects Versions: Servlets Get 2.1.2 > Reporter: Carl Hall > Assignee: Carl Hall > > When using HtmlRendererServlet to return content in an HTML format, it is > possible to inject arbitrary HTML into the returned page. > To reproduce: > 1. Add a node of content > * curl -u admin:admin -F test=true http://localhost:8080/test_node > 2. Get the new node in HTML format and append extra data to the URL > * http://localhost:8080/test_node.html/<font size='88' color='red'>VOTE > SLING</font><iframe height=800 width=600 src='http://www.uva.nl' /></iframe> > JIRA will escape the above URL. The unescaped URL is here: > http://pastie.org/3451245 -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira