You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@myfaces.apache.org by rajat swarup <ra...@gmail.com> on 2007/05/10 19:19:53 UTC

Cross-site scripting in autoscroll parameter

I was playing around with a MyFaces JSF application and observed that
the autoscroll parameter is vulnerable to cross-site scripting.
For example, putting the following information in the POST request
autoScroll=0%2C0);//--></script><IMG%20src="bla"%20onerror="alert(document.cookie)"><script>(
results in a JavaScript pop-up.

Anyone, else observed this behavior?

-- 
Rajat Swarup

http://rajatswarup.blogspot.com/