Insecure html in build output leads to bad html rendering - could be used for
malicious cross-site scripting.
-------------------------------------------------------------------------------------------------------------
Key: CONTINUUM-679
URL: http://jira.codehaus.org/browse/CONTINUUM-679
Project: Continuum
Type: Bug
Components: Web interface
Versions: 1.0.3
Reporter: Christian Gruber
Priority: Critical
In a custom maven2 build that calls an ant script to invoke weblogic's compiler
for workshop, some warning output includes a warning about the "<textarea>"
tag. Continuum does not convert < and > into lt and gt entities. Since the
build output is in another textarea it is sometimes not a problem. However,
some browsers render nested textareas, and the remaining build log output is
contained within the inner textarea.
While this is annoying, it is dangerous. One need only alter the build script
to <echo> something more malicious - say something with javascript - to cause
damage.
The fix is to pre-process the output to strip it of any html tag content.
This bug should be reproducable by creating a small build.xml that echo's a
<textarea> and calling it from a maven pom file.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
