You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Joel Barciauskas (JIRA)" <ji...@apache.org> on 2010/06/08 18:55:11 UTC
[jira] Commented: (WICKET-2907) XSS vulnerability when enabling
AutomaticMultiWindowSupport and using AJAX and BookmarkablePageLink
features
[ https://issues.apache.org/jira/browse/WICKET-2907?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12876725#action_12876725 ]
Joel Barciauskas commented on WICKET-2907:
------------------------------------------
For anyone viewing this issue before it is resolved whom it might affect, I believe changing your application to use a crypted URL strategy, e.g. adding this to your WicketApplication.java:
@Override
protected IRequestCycleProcessor newRequestCycleProcessor() {
return new WebRequestCycleProcessor()
{
@Override
protected IRequestCodingStrategy newRequestCodingStrategy()
{
return new CryptedUrlWebRequestCodingStrategy(new WebRequestCodingStrategy());
}
};
}
Would prevent the issue, although it means bookmarkable URLs are only valid for the session within which they are generated.
> XSS vulnerability when enabling AutomaticMultiWindowSupport and using AJAX and BookmarkablePageLink features
> ------------------------------------------------------------------------------------------------------------
>
> Key: WICKET-2907
> URL: https://issues.apache.org/jira/browse/WICKET-2907
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.9
> Reporter: Joel Barciauskas
> Attachments: xsstest.zip
>
>
> When using the default URL coding strategy, along with automaticmultiwindowsupport set to true, any bookmarkablepagelink may be modified to enable injection of arbitrary javascript code.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.