You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@myfaces.apache.org by rajat swarup <ra...@gmail.com> on 2007/05/10 19:19:53 UTC
Cross-site scripting in autoscroll parameter
I was playing around with a MyFaces JSF application and observed that
the autoscroll parameter is vulnerable to cross-site scripting.
For example, putting the following information in the POST request
autoScroll=0%2C0);//--></script><IMG%20src="bla"%20onerror="alert(document.cookie)"><script>(
results in a JavaScript pop-up.
Anyone, else observed this behavior?
--
Rajat Swarup
http://rajatswarup.blogspot.com/