[ http://jira.codehaus.org/browse/CONTINUUM-679?page=all ]
Christian Gruber closed CONTINUUM-679:
--------------------------------------
Resolution: Duplicate
> Insecure html in build output leads to bad html rendering - could be used for
> malicious cross-site scripting.
> -------------------------------------------------------------------------------------------------------------
>
> Key: CONTINUUM-679
> URL: http://jira.codehaus.org/browse/CONTINUUM-679
> Project: Continuum
> Type: Bug
> Components: Web interface
> Versions: 1.0.3
> Reporter: Christian Gruber
> Priority: Critical
>
>
> In a custom maven2 build that calls an ant script to invoke weblogic's
> compiler for workshop, some warning output includes a warning about the
> "<textarea>" tag. Continuum does not convert < and > into lt and gt
> entities. Since the build output is in another textarea it is sometimes not
> a problem. However, some browsers render nested textareas, and the remaining
> build log output is contained within the inner textarea.
> While this is annoying, it is dangerous. One need only alter the build
> script to <echo> something more malicious - say something with javascript -
> to cause damage.
> The fix is to pre-process the output to strip it of any html tag content.
> This bug should be reproducable by creating a small build.xml that echo's a
> <textarea> and calling it from a maven pom file.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
