You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@myfaces.apache.org by "Kennard Consulting (JIRA)" <de...@myfaces.apache.org> on 2009/05/27 07:22:45 UTC

[jira] Commented: (TOMAHAWK-1391) Inserting into HTML output is potential security problem

    [ https://issues.apache.org/jira/browse/TOMAHAWK-1391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12713420#action_12713420 ] 

Kennard Consulting commented on TOMAHAWK-1391:
----------------------------------------------

Awesome. Thanks Leonardo. I look forward to the next release!


> Inserting <!-- MYFACES JAVASCRIPT --> into HTML output is potential security problem
> ------------------------------------------------------------------------------------
>
>                 Key: TOMAHAWK-1391
>                 URL: https://issues.apache.org/jira/browse/TOMAHAWK-1391
>             Project: MyFaces Tomahawk
>          Issue Type: Improvement
>          Components: ExtensionsFilter
>    Affects Versions: 1.1.8
>            Reporter: Kennard Consulting
>            Assignee: Leonardo Uribe
>            Priority: Minor
>             Fix For: 1.1.9-SNAPSHOT
>
>   Original Estimate: 0.17h
>  Remaining Estimate: 0.17h
>
> A recommended practice to security 'hardening' a Web site is to divulge as little architectual information as possible. For example, we suppress the X-Server HTTP header so you don't know what server we are using. We map '*.jsf' to something else so you can't tell we're using JSF. 
> However, one giveaway is that in org.apache.myfaces.renderkit.html.util.ExtensionsPhaseListener.java, method getCodeBeforeBodyEnd(), around line 111, there is the line:
>    return "<!-- MYFACES JAVASCRIPT -->\n"+writerWrapper.toString()+"\n";
> This always outputs 'MYFACES' into the HTML whenever the ExtensionsPhaseListener is used (even if there is no actual JavaScript being output). I would like to see this line change to simply...
>    return writerWrapper.toString();
> Which would not give away we are using JSF.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.