Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-6037

ModalWindow vulnerable to Javascript injection through title model

    XMLWordPrintableJSON

Details

    Description

      I came across this while fixing XSS vulnerabilities found during a penetration test of our application (which sadly still uses Wicket 1.5.x).

      Just to be sure, I also checked the source from Wicket 7.1.0 and the issue is present as well.

      The following lines in org.apache.wicket.extensions.ajax.markup.html.modal.ModalWindow#getWindowOpenJavaScript() are the culprit
      ------------------
      Object title = getTitle() != null ? getTitle().getObject() : null;
      if (title != null)

      { appendAssignment(buffer, "settings.title", escapeQuotes(title.toString())); }

      -----------------

      Using escapeQuotes() is not enough since Javascript written without quotes is still executed by at least the latest Firefox version (didn't bother checking other browsers).

      For example having the title model return a string that contains

      <i onclick=alert(1)>stuff</i>

      will make the browser show a JS popup when clicking on the dialog title.

      Attachments

        Activity

          People

            svenmeier Sven Meier
            tgierke Tobias Gierke
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: