You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Tobias Gierke (JIRA)" <ji...@apache.org> on 2015/11/18 12:23:10 UTC

[jira] [Created] (WICKET-6037) ModalWindow vulnerable to Javascript injection through title model

Tobias Gierke created WICKET-6037:
-------------------------------------

             Summary: ModalWindow vulnerable to Javascript injection through title model
                 Key: WICKET-6037
                 URL: https://issues.apache.org/jira/browse/WICKET-6037
             Project: Wicket
          Issue Type: Bug
          Components: wicket-extensions
    Affects Versions: 7.1.0, 1.5.11
            Reporter: Tobias Gierke


I came across this while fixing XSS vulnerabilities found during a penetration test of our application (which sadly still uses Wicket 1.5.x).

Just to be sure, I also checked the source from Wicket 7.1.0 and the issue is present as well.

The following lines in org.apache.wicket.extensions.ajax.markup.html.modal.ModalWindow#getWindowOpenJavaScript() are the culprit
------------------
		Object title = getTitle() != null ? getTitle().getObject() : null;
		if (title != null)
		{
			appendAssignment(buffer, "settings.title", escapeQuotes(title.toString()));
		}
-----------------

Using escapeQuotes() is not enough since Javascript written without quotes is still executed by at least the latest Firefox version (didn't bother checking other browsers).

For example having the title model return a string that contains

    <i onclick=alert(1)>stuff</i>

will make the browser show a JS popup when clicking on the dialog title.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)