You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Martin Petricek (JIRA)" <ji...@apache.org> on 2014/12/04 15:25:12 UTC

[jira] [Created] (WICKET-5782) Missing escaping in MultiFileUploadField.js - sort of XSS

Martin Petricek created WICKET-5782:
---------------------------------------

             Summary: Missing escaping in MultiFileUploadField.js - sort of XSS
                 Key: WICKET-5782
                 URL: https://issues.apache.org/jira/browse/WICKET-5782
             Project: Wicket
          Issue Type: Bug
    Affects Versions: 6.17.0
            Reporter: Martin Petricek


When uploading files via org.apache.wicket.markup.html.form.upload.MultiFileUploadField component, names of uploaded files are added into a table. 

Inside MultiFileUploadField.js is line that adds names of files:

{code}
contentsColumn.innerHTML = this.getOnlyFileNames(element);
{code}

This code is missing any escaping, so if you upload file named: 
{code}
<code onmouseover=alert(1)>.doc
{code}

and hover on the name, you trigger sort of an XSS.

It is unlikely to be a real threat, as you can probably only attack yourself with this bug and it very uncommon to have files with "<" or ">" characters in their name, but "&" can be relatively common in names of files and "&" needs proper escaping too.

So before adding the filename to contentsColumn.innerHtml, it needs to be properly escaped.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)