You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "Werner Punz (JIRA)" <de...@myfaces.apache.org> on 2018/11/22 14:21:00 UTC
[jira] [Comment Edited] (MYFACES-4266) Ajax update fails due to
invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16695940#comment-16695940 ]
Werner Punz edited comment on MYFACES-4266 at 11/22/18 2:20 PM:
----------------------------------------------------------------
@tandraschko, how do you wanna address this?
I guess a server side filter is a safer bet.
Basically the client code just gets the cdata out and uses innerHTML to push the update in.
I could prefilter the cdata for illegal chars on the client as well, but I am not sure if this is the proper way to go here.
If the illegal chars come in in between the xml tags I have no way to address this on the client side (basically the browser already throws an xml error then).
was (Author: werpu):
@tandraschko, how do you wanna address this?
I guess a server side filter is a safer bet.
Basically the client code just gets the cdata out and uses innerHTML to push the update in.
I could prefilter the cdata for illegal chars on the client as well, but I am not sure if this is the proper way to go here.
> Ajax update fails due to invalid characters in response XML (DoS)
> -----------------------------------------------------------------
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
> Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
> Reporter: cnsgithub
> Priority: Major
>
> I noticed that the {{<f:ajax />}} update fails when the updated form contains unicode characters, which are not allowed in the [XML 1.0 spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour: [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the input field
> - Click the button
> This issue should be addressed with high priority since it is security related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)