Ticket #1955 (closed defect: fixed)

Opened 7 weeks ago

Last modified 7 weeks ago

IWindow: caption value is not escaped (converted correctly to html)

Reported by: Jouni Koivuviita Owned by: Jouni Koivuviita
Priority: blocker Milestone: User Interface Library 5.2.5
Component: gwt-adapter-client Version: 5.2.5
Keywords: Cc:
Known Issue description:
Hours estimate: Deadline (dd.mm.yyyy):
Known Issue version (since): Known Issue title:
Hours done: Depends to:
Affects documentation: no
Known Issue workaround:
Affects release notes: yes Contract:

Description (last modified by Jani Laakso) (diff)

The string that gets passed from server to client isn't escaped at any instance, therefore caption might be displayed wrongly.

Change History

Changed 7 weeks ago by Jouni Koivuviita

  • status changed from new to closed
  • resolution set to fixed
  • affects_release_notes set

in [5115].

Changed 7 weeks ago by Jani Laakso

  • description modified (diff)
  • summary changed from Security vulnerability in Window: caption can contain any HTML/JavaScript to IWindow: caption can contain any HTML/JavaScript

This is not security issue, hence I removed "Security vulnerability" from ticket's subject. This is a plain bug where value is not correctly escaped.

Server has full control of client's web engine in any case, you can still push any HTML/javascript to IWindow by using label that is in raw or html mode.

Fix again if I have understood something wrongly..

Changed 7 weeks ago by Jani Laakso

  • summary changed from IWindow: caption can contain any HTML/JavaScript to IWindow: caption value is not escaped (converted correctly to html)

Changed 7 weeks ago by Jani Laakso

This could be related to security if blackhat user could affect to caption's value freely and this caption would be served to legitimate users as well. Still, same issue remains with raw Labels, you must be careful when using them in such way where users may change their content.

Note: See TracTickets for help on using tickets.