You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Sven Meier (JIRA)" <ji...@apache.org> on 2015/11/19 10:15:11 UTC
[jira] [Resolved] (WICKET-6037) ModalWindow vulnerable to
Javascript injection through title model
[ https://issues.apache.org/jira/browse/WICKET-6037?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sven Meier resolved WICKET-6037.
--------------------------------
Resolution: Fixed
Assignee: Sven Meier
Fix Version/s: 6.22.0
8.0.0-M1
7.2.0
1.5.15
Escaping of ModalWindow's title is configurable now through #setEscapeModelValue(), default is true.
> ModalWindow vulnerable to Javascript injection through title model
> ------------------------------------------------------------------
>
> Key: WICKET-6037
> URL: https://issues.apache.org/jira/browse/WICKET-6037
> Project: Wicket
> Issue Type: Bug
> Components: wicket-extensions
> Affects Versions: 1.5.11, 7.1.0
> Reporter: Tobias Gierke
> Assignee: Sven Meier
> Fix For: 1.5.15, 7.2.0, 8.0.0-M1, 6.22.0
>
>
> I came across this while fixing XSS vulnerabilities found during a penetration test of our application (which sadly still uses Wicket 1.5.x).
> Just to be sure, I also checked the source from Wicket 7.1.0 and the issue is present as well.
> The following lines in org.apache.wicket.extensions.ajax.markup.html.modal.ModalWindow#getWindowOpenJavaScript() are the culprit
> ------------------
> Object title = getTitle() != null ? getTitle().getObject() : null;
> if (title != null)
> {
> appendAssignment(buffer, "settings.title", escapeQuotes(title.toString()));
> }
> -----------------
> Using escapeQuotes() is not enough since Javascript written without quotes is still executed by at least the latest Firefox version (didn't bother checking other browsers).
> For example having the title model return a string that contains
> <i onclick=alert(1)>stuff</i>
> will make the browser show a JS popup when clicking on the dialog title.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)