You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@freemarker.apache.org by "Dániel Dékány (Jira)" <ji...@apache.org> on 2022/02/17 08:15:00 UTC

[jira] [Closed] (FREEMARKER-189) The Built-in constructs like "?html" has security issues

     [ https://issues.apache.org/jira/browse/FREEMARKER-189?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dániel Dékány closed FREEMARKER-189.
------------------------------------
    Resolution: Information Provided

> The Built-in constructs like "?html" has security issues
> --------------------------------------------------------
>
>                 Key: FREEMARKER-189
>                 URL: https://issues.apache.org/jira/browse/FREEMARKER-189
>             Project: Apache Freemarker
>          Issue Type: Bug
>          Components: jsp
>    Affects Versions: 2.3.28, 2.3.29
>         Environment: just normal environment, no special
>            Reporter: PowerCOM_STARWAR
>            Priority: Major
>              Labels: security
>         Attachments: StringUtil.java
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> 1. When i develop the JSP page, for the reason of security, i use the "?html" to encode the attribute "onclick" in the button.ftl as below:
> <span id="${btnID?html}" style="${(style!'')?html}" tabindex="0" class=" ${(css!'')?html}" <@htmc.disabled /> <#if btnTitle!=''>title="${btnTitle?html}"</#if><#lt>
> <#if btnOnClick??> *onclick="${btnOnClick?html}"*</#if> > <#lt>
> 2. in the jsp b.jsp, i write as this: <powercom: button id="game" onclick="submit('${name}')" />;
> 3. The varaible name comes from another page a.jsp，user can input the value for the parameter: name，then user can jump to b.jsp;
> 4. if i input the value for name is "'*);console.log(1)//*" or "'*);alert(1)//*" in a.jsp, attention, it simulates an attack, it will be executed when i jump to the b.jsp，the varaiable "*btnOnClick*"  will be assigned with the value "*submit('${name}')*", then the attack statement is spliced as this: onclick="submit('');*alert(1)*//')"; and the page pop up a msgbox,shows "1".
> 5.because the build-in construct: "?html" does not escape the  left and right parentheses: "( " and ")", the attack statements can be executed.  I think the left and right parentheses: "( " and ")" should be escaped for the "?html" build-in construct because of security. Thanks



--
This message was sent by Atlassian Jira
(v8.20.1#820001)