[SLING-2082] XSS vulnerability: HtmlResponse output does not escape URLs in HTML - ASF JIRA

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: Servlets Post 2.1.0, API 2.2.0
Fix Version/s: Servlets Post 2.1.2, API 2.2.2
Component/s: API, Servlets
Labels:
None

Description

A POST request including a <script> in the URL can lead to execution of that script in the browser:

http://localhost:4502/does/not/exist.html/%22%3e%3cscript%3ealert(29679)%3c/script%3e

Test with curl:

curl -X POST "http://localhost:4502/does/not/exist.html/%22%3e%3cscript%3ealert(29679)%3c/script%3e"

I think this applies to both org/apache/sling/api/servlets/HtmlResponse and org/apache/sling/servlets/post/HtmlResponse, but not sure how to trigger the first one.

Attachments

Activity

Comment

This comment will be Viewable by All Users Viewable by All Users

Cancel

People

Assignee:: Bertrand Delacretaz

Reporter:: Alexander Klimetschek

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 18/May/11 16:56

Updated:: 04/Jul/14 07:40

Resolved:: 24/May/11 13:11

Agile

View on Board

XSS vulnerability: HtmlResponse output does not escape URLs in HTML

Details

Description

Attachments

Attachments

Activity

People

Dates

Agile

Slack

Issue deployment