[ https://issues.apache.org/jira/browse/JS2-1075?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ate Douma resolved JS2-1075.
----------------------------
Resolution: Fixed
Fixed by escaping input values within LoginProxyServlet.
Thanks for the report Radko!
> possible cross site scripting during login
> ------------------------------------------
>
> Key: JS2-1075
> URL: https://issues.apache.org/jira/browse/JS2-1075
> Project: Jetspeed 2
> Issue Type: Bug
> Components: Security
> Environment: all env
> Reporter: radko keves
> Assignee: Ate Douma
> Fix For: 2.1.4, 2.2.1
>
>
> user can specify during login script, which isn't html escaped in WEB-INF/templates/login/html/login.jsp
page
> solution, escapeHtml input strings, like this:
> <%
> String ln = "";
> String pa = "";
> Object ln_o = session.getAttribute(LoginConstants.USERNAME);
> Object pa_o = session.getAttribute(LoginConstants.PASSWORD);
> if (ln_o != null) ln = (String)ln_o;
> if (pa_o != null) pa = (String)pa_o;
> %>
> <input type='hidden' name='j_username' value='<%= StringEscapeUtils.escapeHtml(ln)
%>'/>
> <input type='hidden' name='j_password' value='<%= StringEscapeUtils.escapeHtml(pa)
%>'/>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
|