Thiago Henrique De Paula Figueiredo created TAP5-2811:
---------------------------------------------------------
Summary: Possible XSS issue with Confirm mixin and certain user
code
Key: TAP5-2811
URL: https://issues.apache.org/jira/browse/TAP5-2811
Project: Tapestry 5
Issue Type: Bug
Components: tapestry-core
Affects Versions: 5.9.0
Reporter: Thiago Henrique De Paula Figueiredo
This was brought to our attention by Yannick Dylla
([https://github.com/ydylla),] who we thank very much.
The Confirm mixin JavaScript doesn't sanitize the input it gets from user code,
so, given certain circumstances, it may allow a XSS injection. Here's the
example provided by Yannick:
When using it as following in a tml template:
<t:eventlink t:mixins="Confirm" t:Confirm.message="Delete
${name}?"><h1>Click me</h1></t:eventlink>
and where the ${name} property is user controlled, it its possible to
inject JavaScript code that is executed when the eventlink is clicked.
For example with this name: "Evil Name<script>alert('Successful
XSS!')</script>".
The Confirm.message gets correctly escaped when Confirm.java [1] writes
it as attribute in the html.
But confirm-click.coffee [2] then uses a string template without any
escaping, to append the modal html to the body tag.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
