Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.5.11, 7.1.0
-
None
Description
I came across this while fixing XSS vulnerabilities found during a penetration test of our application (which sadly still uses Wicket 1.5.x).
Just to be sure, I also checked the source from Wicket 7.1.0 and the issue is present as well.
The following lines in org.apache.wicket.extensions.ajax.markup.html.modal.ModalWindow#getWindowOpenJavaScript() are the culprit
------------------
Object title = getTitle() != null ? getTitle().getObject() : null;
if (title != null)
-----------------
Using escapeQuotes() is not enough since Javascript written without quotes is still executed by at least the latest Firefox version (didn't bother checking other browsers).
For example having the title model return a string that contains
<i onclick=alert(1)>stuff</i>
will make the browser show a JS popup when clicking on the dialog title.