Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-7128

Review the possibility of using OWASP Sanitizer in FormattedServiceListWriter

Attach filesAttach ScreenshotAdd voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • Transports
    • None
    • Unknown

    Description

      https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project project (and related projects) offer a number of ways to protect against XSS.

      Right now CXF ServletController uses BaseUrlHelper to recreate an absolute URL it listens upon, by removing all the matrix parameters which were shown to pose a risk (CXF-6216).

      The question is: is CXF-6216 fix sufficient or some more formal approach is needed.

      My own opinion right now is that a CXF-6216 fix is good and there's no obvious need to add another library unless a new concrete attack is discovered.

      CXF-6216 fix results in all the matrix parameters, if any, being removed. The encoding approach will keep them in the encoded form in service URIs which will be shown to the user.

      Attachments

        Issue Links

        is related to

        Bug - A problem which impairs or prevents the functions of the product. CXF-6216 No output sanitizing in FormattedServiceListWriter

        • Critical - Crashes, loss of data, severe memory leak.
        • Closed

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            sergey_beryozkin Sergey Beryozkin
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Slack

                Issue deployment