[SLING-2082] XSS vulnerability: HtmlResponse output does not escape URLs in HTML - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: Servlets Post 2.1.0, API 2.2.0
Fix Version/s: Servlets Post 2.1.2, API 2.2.2
Component/s: API, Servlets
Labels:
None

Description

A POST request including a <script> in the URL can lead to execution of that script in the browser:

http://localhost:4502/does/not/exist.html/%22%3e%3cscript%3ealert(29679)%3c/script%3e

Test with curl:

curl -X POST "http://localhost:4502/does/not/exist.html/%22%3e%3cscript%3ealert(29679)%3c/script%3e"

I think this applies to both org/apache/sling/api/servlets/HtmlResponse and org/apache/sling/servlets/post/HtmlResponse, but not sure how to trigger the first one.

Attachments

Activity

People

Assignee:: Bertrand Delacretaz

Reporter:: Alexander Klimetschek

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 18/May/11 16:56

Updated:: 04/Jul/14 07:40

Resolved:: 24/May/11 13:11