[
https://issues.apache.org/jira/browse/WW-5623?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tran Quac updated WW-5623:
--------------------------
Description:
h2. Summary
PostbackResult.doExecute() at line 107 embeds finalLocation into a form action
attribute via raw string concatenation without HTML encoding. The response
Content-Type is text/html (line 103). A double-quote character in the location
breaks out of the attribute, enabling reflected XSS.
This is an encoding inconsistency: form field names and values at lines 218-219
ARE properly URL-encoded via URLEncoder.encode(), but the form action attribute
was not encoded at all.
h2. Changes
* {*}PostbackResult.java{*}: Add encodeHtml() method to escape &, ", <, > in
finalLocation before embedding in the HTML form tag. Consistent with the
existing encoding approach for form field values.
h2. Impact
When a developer uses PostbackResult with an OGNL expression referencing a
user-controllable property (a documented framework feature for dynamic
routing), an attacker can inject arbitrary HTML attributes and elements via the
form action attribute.
h2. Refer
[https://github.com/apache/struts/pull/1653]
[https://github.com/apache/struts/pull/1653/changes/1b2242487179f38009d118707b8e70ab396a3d27]
was:
h2. Summary
PostbackResult.doExecute() at line 107 embeds finalLocation into a form action
attribute via raw string concatenation without HTML encoding. The response
Content-Type is text/html (line 103). A double-quote character in the location
breaks out of the attribute, enabling reflected XSS.
This is an encoding inconsistency: form field names and values at lines 218-219
ARE properly URL-encoded via URLEncoder.encode(), but the form action attribute
was not encoded at all.
h2. Changes
* {*}PostbackResult.java{*}: Add encodeHtml() method to escape &, ", <, > in
finalLocation before embedding in the HTML form tag. Consistent with the
existing encoding approach for form field values.
h2. Impact
When a developer uses PostbackResult with an OGNL expression referencing a
user-controllable property (a documented framework feature for dynamic
routing), an attacker can inject arbitrary HTML attributes and elements via the
form action attribute.
h2. Refer
[-
https://github.com/apache/struts/pull/1653|https://github.com/apache/struts/pull/1653]
[-
https://github.com/apache/struts/pull/1653/changes/1b2242487179f38009d118707b8e70ab396a3d27|https://github.com/apache/struts/pull/1653/changes/1b2242487179f38009d118707b8e70ab396a3d27]
> fix(core): HTML-encode form action in PostbackResult to prevent XSS
> -------------------------------------------------------------------
>
> Key: WW-5623
> URL: https://issues.apache.org/jira/browse/WW-5623
> Project: Struts 2
> Issue Type: Bug
> Components: Core
> Reporter: Tran Quac
> Priority: Major
>
> h2. Summary
> PostbackResult.doExecute() at line 107 embeds finalLocation into a form
> action attribute via raw string concatenation without HTML encoding. The
> response Content-Type is text/html (line 103). A double-quote character in
> the location breaks out of the attribute, enabling reflected XSS.
> This is an encoding inconsistency: form field names and values at lines
> 218-219 ARE properly URL-encoded via URLEncoder.encode(), but the form action
> attribute was not encoded at all.
> h2. Changes
> * {*}PostbackResult.java{*}: Add encodeHtml() method to escape &, ", <, > in
> finalLocation before embedding in the HTML form tag. Consistent with the
> existing encoding approach for form field values.
> h2. Impact
> When a developer uses PostbackResult with an OGNL expression referencing a
> user-controllable property (a documented framework feature for dynamic
> routing), an attacker can inject arbitrary HTML attributes and elements via
> the form action attribute.
> h2. Refer
> [https://github.com/apache/struts/pull/1653]
> [https://github.com/apache/struts/pull/1653/changes/1b2242487179f38009d118707b8e70ab396a3d27]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
