You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2014/12/04 17:19:12 UTC
[jira] [Commented] (WICKET-5782) Missing escaping in
MultiFileUploadField.js - sort of XSS
[ https://issues.apache.org/jira/browse/WICKET-5782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14234310#comment-14234310 ]
ASF subversion and git services commented on WICKET-5782:
---------------------------------------------------------
Commit 354e07129e587043d1eba32e08b0d82c4fc404e0 in wicket's branch refs/heads/wicket-6.x from [~mgrigorov]
[ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=354e071 ]
WICKET-5782 Missing escaping in MultiFileUploadField.js - sort of XSS
> Missing escaping in MultiFileUploadField.js - sort of XSS
> ---------------------------------------------------------
>
> Key: WICKET-5782
> URL: https://issues.apache.org/jira/browse/WICKET-5782
> Project: Wicket
> Issue Type: Bug
> Affects Versions: 6.17.0
> Reporter: Martin Petricek
> Fix For: 7.0.0-M5, 6.19.0
>
>
> When uploading files via org.apache.wicket.markup.html.form.upload.MultiFileUploadField component, names of uploaded files are added into a table.
> Inside MultiFileUploadField.js is line that adds names of files:
> {code}
> contentsColumn.innerHTML = this.getOnlyFileNames(element);
> {code}
> This code is missing any escaping, so if you upload file named:
> {code}
> <code onmouseover=alert(1)>.doc
> {code}
> and hover on the name, you trigger sort of an XSS.
> It is unlikely to be a real threat, as you can probably only attack yourself with this bug and it very uncommon to have files with "<" or ">" characters in their name, but "&" can be relatively common in names of files and "&" needs proper escaping too.
> So before adding the filename to contentsColumn.innerHtml, it needs to be properly escaped.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)