You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by Igor Drobiazko <ig...@gmail.com> on 2010/04/30 18:00:26 UTC

Re: svn commit: r939469 - in /tapestry/tapestry5/trunk/tapestry-core/src: main/resources/org/apache/tapestry5/corelib/components/datefield.js test/java/org/apache/tapestry5/integration/app1/FormTests.java

Thanks, I'll have a look.

On Fri, Apr 30, 2010 at 10:16 AM, Nourredine K. <no...@yahoo.com>wrote:

>
> Hi,
>
> I think there is another vulnerability in the datefield.js script. It can
> happen, in the ajax response, when you select a date from the calendar.
> (please, refer to the last patch on
> https://issues.apache.org/jira/browse/TAP5-1057. Still need to replace
> escape function by String.escapeHTML as you've suggested)
>
> To reproduce the xss attack, our client uses a proxy. After selecting a
> date
> from the calendar, modify the url by adding a js code at the end (the
> resulted url looks like http
>
> ://server:port/context/pagename.componentid:format?input=1268652856000""><script>alert("T5
> is great!");</script>)
>
>
>
> drobiazko wrote:
> >
> > Author: drobiazko
> > Date: Thu Apr 29 19:55:34 2010
> > New Revision: 939469
> >
> > URL: http://svn.apache.org/viewvc?rev=939469&view=rev
> > Log:
> > TAP5-1057: XSS vulnerability in calendar component
> >
> > Modified:
> >
> >
> tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js
> >
> >
> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/FormTests.java
> >
> > Modified:
> >
> tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js
> > URL:
> >
> http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js?rev=939469&r1=939468&r2=939469&view=diff
> >
> ==============================================================================
> > ---
> >
> tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js
> > (original)
> > +++
> >
> tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js
> > Thu Apr 29 19:55:34 2010
> > @@ -48,7 +48,7 @@ Tapestry.DateField = Class.create( {
> >                       }
> >               }
> >
> > -             var value = $F(this.field);
> > +             var value = $F(this.field).escapeHTML();
> >
> >               if (value == "") {
> >                       this.datePicker.setDate(null);
> >
> > Modified:
> >
> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/FormTests.java
> > URL:
> >
> http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/FormTests.java?rev=939469&r1=939468&r2=939469&view=diff
> >
> ==============================================================================
> > ---
> >
> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/FormTests.java
> > (original)
> > +++
> >
> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/FormTests.java
> > Thu Apr 29 19:55:34 2010
> > @@ -231,6 +231,19 @@ public class FormTests extends TapestryC
> >
> >          clickAndWait("link=english");
> >      }
> > +
> > +    // TAP5-1057
> > +    @Test
> > +    public void xss_datefield()
> > +    {
> > +        clickThru("DateField Demo", "clear", "english");
> > +
> > +        type("asteroidImpact", "<script>alert('T5 is great');
> > </script>");
> > +
> > +        click("id=asteroidImpact-trigger");
> > +
> > +        assertBubbleMessage("asteroidImpact", "Unparseable date:
> > \"<script>alert('T5 is great'); </script>\"");
> > +    }
> >
> >      @Test
> >      public void event_based_translate() throws Exception
> >
> >
> >
> >
>
> --
> View this message in context:
> http://old.nabble.com/svn-commit%3A-r939469---in--tapestry-tapestry5-trunk-tapestry-core-src%3A-main-resources-org-apache-tapestry5-corelib-components-datefield.js-test-java-org-apache-tapestry5-integration-app1-FormTests.java-tp28405123p28409620.html
> Sent from the Tapestry - Dev mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: dev-help@tapestry.apache.org
>
>


-- 
Best regards,

Igor Drobiazko
http://tapestry5.de/blog