Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-5782

Missing escaping in MultiFileUploadField.js - sort of XSS

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.17.0
    • Fix Version/s: 7.0.0-M5, 6.19.0
    • Component/s: None
    • Labels:
      None

      Description

      When uploading files via org.apache.wicket.markup.html.form.upload.MultiFileUploadField component, names of uploaded files are added into a table.

      Inside MultiFileUploadField.js is line that adds names of files:

      contentsColumn.innerHTML = this.getOnlyFileNames(element);
      

      This code is missing any escaping, so if you upload file named:

      <code onmouseover=alert(1)>.doc
      

      and hover on the name, you trigger sort of an XSS.

      It is unlikely to be a real threat, as you can probably only attack yourself with this bug and it very uncommon to have files with "<" or ">" characters in their name, but "&" can be relatively common in names of files and "&" needs proper escaping too.

      So before adding the filename to contentsColumn.innerHtml, it needs to be properly escaped.

        Attachments

          Activity

            People

            • Assignee:
              mgrigorov Martin Grigorov
              Reporter:
              mpl Martin Petricek
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: