You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@click.apache.org by "Tsuyoshi Yamamoto (JIRA)" <ji...@apache.org> on 2011/04/24 16:27:05 UTC

[jira] [Created] (CLK-762) Cross Site Scripting Issue in ErrorPage

Cross Site Scripting Issue in ErrorPage
---------------------------------------

                 Key: CLK-762
                 URL: https://issues.apache.org/jira/browse/CLK-762
             Project: Click
          Issue Type: Bug
         Environment: N/A
            Reporter: Tsuyoshi Yamamoto


Click 2.3.0 line 289 in ErrorReport.java should be HTMLescaped, because QueryString may include the malicious HTML / JavaScript which causes Cross Site Scripting on ErrorPage.

For example, Click causes java.lang.NumberFormatException when the query string 'id' expects a value in integer but string is passed. And if the string is '241<script>alert(20908)</script>' then we can see the popup on ErrorPage that results the vulnerability of the webapp.


--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Resolved] (CLK-762) Cross Site Scripting Issue in ErrorPage

Posted by "Bob Schellink (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/CLK-762?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Bob Schellink resolved CLK-762.
-------------------------------

    Resolution: Fixed
      Assignee: Bob Schellink

Thanks, fix checked in

> Cross Site Scripting Issue in ErrorPage
> ---------------------------------------
>
>                 Key: CLK-762
>                 URL: https://issues.apache.org/jira/browse/CLK-762
>             Project: Click
>          Issue Type: Bug
>         Environment: N/A
>            Reporter: Tsuyoshi Yamamoto
>            Assignee: Bob Schellink
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> Click 2.3.0 line 289 in ErrorReport.java should be HTMLescaped, because QueryString may include the malicious HTML / JavaScript which causes Cross Site Scripting on ErrorPage.
> For example, Click causes java.lang.NumberFormatException when the query string 'id' expects a value in integer but string is passed. And if the string is '241<script>alert(20908)</script>' then we can see the popup on ErrorPage that results the vulnerability of the webapp.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira