Affects Version/s: 1.4, 2.x
Fix Version/s: None
Environment:Identified in velocity-tools 1.4, verified by reading code in trunk.
The code for ErrorsTool.getMsgs goes roughly like this:
String message = message("errors.header");
message += message("errors.prefix") + error + message("errors.suffix")
message += message("errors.footer")
This is easily open to an XSS attack when an error message contains user input.
Honestly, I'm not entirely sure if we should even do anything about this, because the ErrorsTool is not strictly for use in an HTML context, so escaping the error message itself may not be appropriate. Also, the message itself may contain markup which the developer wants to remain, while the user input should be escaped.
It's possible that the solution to this problem is to put a big warning on the tool that XSS attacks are very easy using this tool.
I've been running with it for years, and didn't notice until today. I replaced my use of errors.getMsgs with this:
#foreach($error in $errors.get($fieldName))
...which is appropriate for my uses, but might not work for everyone.