You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "Kennard Consulting (JIRA)" <de...@myfaces.apache.org> on 2009/05/27 07:22:45 UTC
[jira] Commented: (TOMAHAWK-1391) Inserting into HTML output is potential security problem
[ https://issues.apache.org/jira/browse/TOMAHAWK-1391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12713420#action_12713420 ]
Kennard Consulting commented on TOMAHAWK-1391:
----------------------------------------------
Awesome. Thanks Leonardo. I look forward to the next release!
> Inserting <!-- MYFACES JAVASCRIPT --> into HTML output is potential security problem
> ------------------------------------------------------------------------------------
>
> Key: TOMAHAWK-1391
> URL: https://issues.apache.org/jira/browse/TOMAHAWK-1391
> Project: MyFaces Tomahawk
> Issue Type: Improvement
> Components: ExtensionsFilter
> Affects Versions: 1.1.8
> Reporter: Kennard Consulting
> Assignee: Leonardo Uribe
> Priority: Minor
> Fix For: 1.1.9-SNAPSHOT
>
> Original Estimate: 0.17h
> Remaining Estimate: 0.17h
>
> A recommended practice to security 'hardening' a Web site is to divulge as little architectual information as possible. For example, we suppress the X-Server HTTP header so you don't know what server we are using. We map '*.jsf' to something else so you can't tell we're using JSF.
> However, one giveaway is that in org.apache.myfaces.renderkit.html.util.ExtensionsPhaseListener.java, method getCodeBeforeBodyEnd(), around line 111, there is the line:
> return "<!-- MYFACES JAVASCRIPT -->\n"+writerWrapper.toString()+"\n";
> This always outputs 'MYFACES' into the HTML whenever the ExtensionsPhaseListener is used (even if there is no actual JavaScript being output). I would like to see this line change to simply...
> return writerWrapper.toString();
> Which would not give away we are using JSF.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.