You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tapestry.apache.org by "François Facon (JIRA)" <ji...@apache.org> on 2010/03/17 17:08:27 UTC
[jira] Created: (TAP5-1057) XSS vulnerability in calendar component
XSS vulnerability in calendar component
---------------------------------------
Key: TAP5-1057
URL: https://issues.apache.org/jira/browse/TAP5-1057
Project: Tapestry 5
Issue Type: Bug
Components: tapestry-core
Affects Versions: 5.1.0.5
Reporter: François Facon
The calendar component provided in tapestry 5.1.0.5 could be used to allow code injection by malicious web users into any page that uses datefield .
To reproduce the vulnerability, put js code like <script>alert("T5 is great"); </script> in any datefield and click on the related calendar bitma
After quick search in the DateField.js, it seems like the field value is not escaping
escaping with a change like var value = escape($F(this.field)); the field value seems solve this vulnerability.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
Re: [jira] Reopened: (TAP5-1057) XSS vulnerability in calendar component
Posted by Igor Drobiazko <ig...@gmail.com>.
Christophe,
I guess you shouldn't reopen issues fixed for a released version. There are
official release notes where this issue is marked as open now. Please clone
issues if needed.
On Tue, Aug 31, 2010 at 3:19 PM, Christophe Cordenier (JIRA) <
jira@apache.org> wrote:
>
> [
> https://issues.apache.org/jira/browse/TAP5-1057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel]
>
> Christophe Cordenier reopened TAP5-1057:
> ----------------------------------------
>
> Assignee: Christophe Cordenier (was: Igor Drobiazko)
>
> I will apply it on 5.1.0.8-SNAPSHOT too
>
> > XSS vulnerability in calendar component
> > ---------------------------------------
> >
> > Key: TAP5-1057
> > URL: https://issues.apache.org/jira/browse/TAP5-1057
> > Project: Tapestry 5
> > Issue Type: Bug
> > Components: tapestry-core
> > Affects Versions: 5.1.0.5
> > Reporter: François Facon
> > Assignee: Christophe Cordenier
> > Fix For: 5.2.0
> >
> > Attachments: datefield_js.patch, datefield_js.patch
> >
> >
> > The calendar component provided in tapestry 5.1.0.5 could be used to
> allow code injection by malicious web users into any page that uses
> datefield .
> > To reproduce the vulnerability, put js code like <script>alert("T5 is
> great"); </script> in any datefield and click on the related calendar bitma
> > After quick search in the DateField.js, it seems like the field value is
> not escaping
> > escaping with a change like var value = escape($F(this.field)); the
> field value seems solve this vulnerability.
>
> --
> This message is automatically generated by JIRA.
> -
> You can reply to this email to add a comment to the issue online.
>
>
--
Best regards,
Igor Drobiazko
http://tapestry5.de
[jira] Reopened: (TAP5-1057) XSS vulnerability in calendar
component
Posted by "Christophe Cordenier (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-1057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Christophe Cordenier reopened TAP5-1057:
----------------------------------------
Assignee: Christophe Cordenier (was: Igor Drobiazko)
I will apply it on 5.1.0.8-SNAPSHOT too
> XSS vulnerability in calendar component
> ---------------------------------------
>
> Key: TAP5-1057
> URL: https://issues.apache.org/jira/browse/TAP5-1057
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.1.0.5
> Reporter: François Facon
> Assignee: Christophe Cordenier
> Fix For: 5.2.0
>
> Attachments: datefield_js.patch, datefield_js.patch
>
>
> The calendar component provided in tapestry 5.1.0.5 could be used to allow code injection by malicious web users into any page that uses datefield .
> To reproduce the vulnerability, put js code like <script>alert("T5 is great"); </script> in any datefield and click on the related calendar bitma
> After quick search in the DateField.js, it seems like the field value is not escaping
> escaping with a change like var value = escape($F(this.field)); the field value seems solve this vulnerability.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (TAP5-1057) XSS vulnerability in calendar component
Posted by "Igor Drobiazko (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-1057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Igor Drobiazko closed TAP5-1057.
--------------------------------
Fix Version/s: 5.2.0
Resolution: Fixed
Prototype's String.escapeHTML() fixes the issue. Integration test proves that.
> XSS vulnerability in calendar component
> ---------------------------------------
>
> Key: TAP5-1057
> URL: https://issues.apache.org/jira/browse/TAP5-1057
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.1.0.5
> Reporter: François Facon
> Assignee: Igor Drobiazko
> Fix For: 5.2.0
>
> Attachments: datefield_js.patch, datefield_js.patch
>
>
> The calendar component provided in tapestry 5.1.0.5 could be used to allow code injection by malicious web users into any page that uses datefield .
> To reproduce the vulnerability, put js code like <script>alert("T5 is great"); </script> in any datefield and click on the related calendar bitma
> After quick search in the DateField.js, it seems like the field value is not escaping
> escaping with a change like var value = escape($F(this.field)); the field value seems solve this vulnerability.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-1057) XSS vulnerability in calendar
component
Posted by "Igor Drobiazko (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-1057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12862114#action_12862114 ]
Igor Drobiazko commented on TAP5-1057:
--------------------------------------
Escaping datefield value is inappropriate for localized dates, for example French months décembre or février.
> XSS vulnerability in calendar component
> ---------------------------------------
>
> Key: TAP5-1057
> URL: https://issues.apache.org/jira/browse/TAP5-1057
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.1.0.5
> Reporter: François Facon
> Attachments: datefield_js.patch, datefield_js.patch
>
>
> The calendar component provided in tapestry 5.1.0.5 could be used to allow code injection by malicious web users into any page that uses datefield .
> To reproduce the vulnerability, put js code like <script>alert("T5 is great"); </script> in any datefield and click on the related calendar bitma
> After quick search in the DateField.js, it seems like the field value is not escaping
> escaping with a change like var value = escape($F(this.field)); the field value seems solve this vulnerability.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (TAP5-1057) XSS vulnerability in calendar component
Posted by "Nourredine K. (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-1057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nourredine K. updated TAP5-1057:
--------------------------------
Attachment: datefield_js.patch
Hi,
A more achieved datefield.js patch (fix for xss vulnerabilities for ajax requests)
Nourredine.
> XSS vulnerability in calendar component
> ---------------------------------------
>
> Key: TAP5-1057
> URL: https://issues.apache.org/jira/browse/TAP5-1057
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.1.0.5
> Reporter: François Facon
> Attachments: datefield_js.patch, datefield_js.patch
>
>
> The calendar component provided in tapestry 5.1.0.5 could be used to allow code injection by malicious web users into any page that uses datefield .
> To reproduce the vulnerability, put js code like <script>alert("T5 is great"); </script> in any datefield and click on the related calendar bitma
> After quick search in the DateField.js, it seems like the field value is not escaping
> escaping with a change like var value = escape($F(this.field)); the field value seems solve this vulnerability.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (TAP5-1057) XSS vulnerability in calendar component
Posted by "Christophe Cordenier (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-1057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Christophe Cordenier closed TAP5-1057.
--------------------------------------
Resolution: Fixed
Clone instead re-opening.
> XSS vulnerability in calendar component
> ---------------------------------------
>
> Key: TAP5-1057
> URL: https://issues.apache.org/jira/browse/TAP5-1057
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.1.0.5
> Reporter: François Facon
> Assignee: Christophe Cordenier
> Fix For: 5.2.0
>
> Attachments: datefield_js.patch, datefield_js.patch
>
>
> The calendar component provided in tapestry 5.1.0.5 could be used to allow code injection by malicious web users into any page that uses datefield .
> To reproduce the vulnerability, put js code like <script>alert("T5 is great"); </script> in any datefield and click on the related calendar bitma
> After quick search in the DateField.js, it seems like the field value is not escaping
> escaping with a change like var value = escape($F(this.field)); the field value seems solve this vulnerability.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (TAP5-1057) XSS vulnerability in calendar component
Posted by "Nourredine K. (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-1057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nourredine K. updated TAP5-1057:
--------------------------------
Attachment: datefield_js.patch
Hi,
I encountered this issue. See the simple joined patch.
Nourredine.
> XSS vulnerability in calendar component
> ---------------------------------------
>
> Key: TAP5-1057
> URL: https://issues.apache.org/jira/browse/TAP5-1057
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.1.0.5
> Reporter: François Facon
> Attachments: datefield_js.patch
>
>
> The calendar component provided in tapestry 5.1.0.5 could be used to allow code injection by malicious web users into any page that uses datefield .
> To reproduce the vulnerability, put js code like <script>alert("T5 is great"); </script> in any datefield and click on the related calendar bitma
> After quick search in the DateField.js, it seems like the field value is not escaping
> escaping with a change like var value = escape($F(this.field)); the field value seems solve this vulnerability.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (TAP5-1057) XSS vulnerability in calendar
component
Posted by "Igor Drobiazko (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-1057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Igor Drobiazko reassigned TAP5-1057:
------------------------------------
Assignee: Igor Drobiazko
> XSS vulnerability in calendar component
> ---------------------------------------
>
> Key: TAP5-1057
> URL: https://issues.apache.org/jira/browse/TAP5-1057
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.1.0.5
> Reporter: François Facon
> Assignee: Igor Drobiazko
> Attachments: datefield_js.patch, datefield_js.patch
>
>
> The calendar component provided in tapestry 5.1.0.5 could be used to allow code injection by malicious web users into any page that uses datefield .
> To reproduce the vulnerability, put js code like <script>alert("T5 is great"); </script> in any datefield and click on the related calendar bitma
> After quick search in the DateField.js, it seems like the field value is not escaping
> escaping with a change like var value = escape($F(this.field)); the field value seems solve this vulnerability.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Reopened: (TAP5-1057) XSS vulnerability in calendar
component
Posted by "Christophe Cordenier (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-1057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Christophe Cordenier reopened TAP5-1057:
----------------------------------------
Assignee: Christophe Cordenier (was: Igor Drobiazko)
I will apply it on 5.1.0.8-SNAPSHOT too
> XSS vulnerability in calendar component
> ---------------------------------------
>
> Key: TAP5-1057
> URL: https://issues.apache.org/jira/browse/TAP5-1057
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.1.0.5
> Reporter: François Facon
> Assignee: Christophe Cordenier
> Fix For: 5.2.0
>
> Attachments: datefield_js.patch, datefield_js.patch
>
>
> The calendar component provided in tapestry 5.1.0.5 could be used to allow code injection by malicious web users into any page that uses datefield .
> To reproduce the vulnerability, put js code like <script>alert("T5 is great"); </script> in any datefield and click on the related calendar bitma
> After quick search in the DateField.js, it seems like the field value is not escaping
> escaping with a change like var value = escape($F(this.field)); the field value seems solve this vulnerability.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (TAP5-1057) XSS vulnerability in calendar component
Posted by "Igor Drobiazko (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-1057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Igor Drobiazko closed TAP5-1057.
--------------------------------
Fix Version/s: 5.2.0
Resolution: Fixed
Prototype's String.escapeHTML() fixes the issue. Integration test proves that.
> XSS vulnerability in calendar component
> ---------------------------------------
>
> Key: TAP5-1057
> URL: https://issues.apache.org/jira/browse/TAP5-1057
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.1.0.5
> Reporter: François Facon
> Assignee: Igor Drobiazko
> Fix For: 5.2.0
>
> Attachments: datefield_js.patch, datefield_js.patch
>
>
> The calendar component provided in tapestry 5.1.0.5 could be used to allow code injection by malicious web users into any page that uses datefield .
> To reproduce the vulnerability, put js code like <script>alert("T5 is great"); </script> in any datefield and click on the related calendar bitma
> After quick search in the DateField.js, it seems like the field value is not escaping
> escaping with a change like var value = escape($F(this.field)); the field value seems solve this vulnerability.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (TAP5-1057) XSS vulnerability in calendar component
Posted by "Christophe Cordenier (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-1057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Christophe Cordenier closed TAP5-1057.
--------------------------------------
Resolution: Fixed
Clone instead re-opening.
> XSS vulnerability in calendar component
> ---------------------------------------
>
> Key: TAP5-1057
> URL: https://issues.apache.org/jira/browse/TAP5-1057
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.1.0.5
> Reporter: François Facon
> Assignee: Christophe Cordenier
> Fix For: 5.2.0
>
> Attachments: datefield_js.patch, datefield_js.patch
>
>
> The calendar component provided in tapestry 5.1.0.5 could be used to allow code injection by malicious web users into any page that uses datefield .
> To reproduce the vulnerability, put js code like <script>alert("T5 is great"); </script> in any datefield and click on the related calendar bitma
> After quick search in the DateField.js, it seems like the field value is not escaping
> escaping with a change like var value = escape($F(this.field)); the field value seems solve this vulnerability.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (TAP5-1057) XSS vulnerability in calendar component
Posted by "Nourredine K. (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-1057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nourredine K. updated TAP5-1057:
--------------------------------
Attachment: datefield_js.patch
Hi,
A more achieved datefield.js patch (fix for xss vulnerabilities for ajax requests)
Nourredine.
> XSS vulnerability in calendar component
> ---------------------------------------
>
> Key: TAP5-1057
> URL: https://issues.apache.org/jira/browse/TAP5-1057
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.1.0.5
> Reporter: François Facon
> Attachments: datefield_js.patch, datefield_js.patch
>
>
> The calendar component provided in tapestry 5.1.0.5 could be used to allow code injection by malicious web users into any page that uses datefield .
> To reproduce the vulnerability, put js code like <script>alert("T5 is great"); </script> in any datefield and click on the related calendar bitma
> After quick search in the DateField.js, it seems like the field value is not escaping
> escaping with a change like var value = escape($F(this.field)); the field value seems solve this vulnerability.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-1057) XSS vulnerability in calendar
component
Posted by "Igor Drobiazko (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-1057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12862114#action_12862114 ]
Igor Drobiazko commented on TAP5-1057:
--------------------------------------
Escaping datefield value is inappropriate for localized dates, for example French months décembre or février.
> XSS vulnerability in calendar component
> ---------------------------------------
>
> Key: TAP5-1057
> URL: https://issues.apache.org/jira/browse/TAP5-1057
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.1.0.5
> Reporter: François Facon
> Attachments: datefield_js.patch, datefield_js.patch
>
>
> The calendar component provided in tapestry 5.1.0.5 could be used to allow code injection by malicious web users into any page that uses datefield .
> To reproduce the vulnerability, put js code like <script>alert("T5 is great"); </script> in any datefield and click on the related calendar bitma
> After quick search in the DateField.js, it seems like the field value is not escaping
> escaping with a change like var value = escape($F(this.field)); the field value seems solve this vulnerability.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (TAP5-1057) XSS vulnerability in calendar
component
Posted by "Igor Drobiazko (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-1057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Igor Drobiazko reassigned TAP5-1057:
------------------------------------
Assignee: Igor Drobiazko
> XSS vulnerability in calendar component
> ---------------------------------------
>
> Key: TAP5-1057
> URL: https://issues.apache.org/jira/browse/TAP5-1057
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.1.0.5
> Reporter: François Facon
> Assignee: Igor Drobiazko
> Attachments: datefield_js.patch, datefield_js.patch
>
>
> The calendar component provided in tapestry 5.1.0.5 could be used to allow code injection by malicious web users into any page that uses datefield .
> To reproduce the vulnerability, put js code like <script>alert("T5 is great"); </script> in any datefield and click on the related calendar bitma
> After quick search in the DateField.js, it seems like the field value is not escaping
> escaping with a change like var value = escape($F(this.field)); the field value seems solve this vulnerability.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (TAP5-1057) XSS vulnerability in calendar component
Posted by "Nourredine K. (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-1057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nourredine K. updated TAP5-1057:
--------------------------------
Attachment: datefield_js.patch
Hi,
I encountered this issue. See the simple joined patch.
Nourredine.
> XSS vulnerability in calendar component
> ---------------------------------------
>
> Key: TAP5-1057
> URL: https://issues.apache.org/jira/browse/TAP5-1057
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.1.0.5
> Reporter: François Facon
> Attachments: datefield_js.patch
>
>
> The calendar component provided in tapestry 5.1.0.5 could be used to allow code injection by malicious web users into any page that uses datefield .
> To reproduce the vulnerability, put js code like <script>alert("T5 is great"); </script> in any datefield and click on the related calendar bitma
> After quick search in the DateField.js, it seems like the field value is not escaping
> escaping with a change like var value = escape($F(this.field)); the field value seems solve this vulnerability.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.