You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Sven Meier (JIRA)" <ji...@apache.org> on 2015/11/19 10:15:11 UTC

[jira] [Resolved] (WICKET-6037) ModalWindow vulnerable to Javascript injection through title model

     [ https://issues.apache.org/jira/browse/WICKET-6037?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sven Meier resolved WICKET-6037.
--------------------------------
       Resolution: Fixed
         Assignee: Sven Meier
    Fix Version/s: 6.22.0
                   8.0.0-M1
                   7.2.0
                   1.5.15

Escaping of ModalWindow's title is configurable now through #setEscapeModelValue(), default is true.

> ModalWindow vulnerable to Javascript injection through title model
> ------------------------------------------------------------------
>
>                 Key: WICKET-6037
>                 URL: https://issues.apache.org/jira/browse/WICKET-6037
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket-extensions
>    Affects Versions: 1.5.11, 7.1.0
>            Reporter: Tobias Gierke
>            Assignee: Sven Meier
>             Fix For: 1.5.15, 7.2.0, 8.0.0-M1, 6.22.0
>
>
> I came across this while fixing XSS vulnerabilities found during a penetration test of our application (which sadly still uses Wicket 1.5.x).
> Just to be sure, I also checked the source from Wicket 7.1.0 and the issue is present as well.
> The following lines in org.apache.wicket.extensions.ajax.markup.html.modal.ModalWindow#getWindowOpenJavaScript() are the culprit
> ------------------
> 		Object title = getTitle() != null ? getTitle().getObject() : null;
> 		if (title != null)
> 		{
> 			appendAssignment(buffer, "settings.title", escapeQuotes(title.toString()));
> 		}
> -----------------
> Using escapeQuotes() is not enough since Javascript written without quotes is still executed by at least the latest Firefox version (didn't bother checking other browsers).
> For example having the title model return a string that contains
>     <i onclick=alert(1)>stuff</i>
> will make the browser show a JS popup when clicking on the dialog title.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)