Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-1897

Possible Cross-site Scripting Vulnerability

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: 6.5.3
    • Fix Version/s: 6.5.4
    • Component/s: General
    • Security Level: Jimmy
    • Labels:

      Description

      Should sanitize pi before sending back to browser

      package org.zkoss.web.util.resource;
      
      public class ClassWebResource {
      ...
          private void web0(..., String pi, ...) {
              ...
              data = ("(window.zk&&zk.error?zk.error:alert)('"+pi+" not found');").getBytes("UTF-8");
              ...
              out.write(data);
              ...
          }
      ...
      }
      

        Activity

        Hide
        vincentjian vincentjian added a comment -

        Fixed since 2013/8/22.

        Show
        vincentjian vincentjian added a comment - Fixed since 2013/8/22.

          People

          • Assignee:
            RaymondChao RaymondChao
            Reporter:
            neillee neillee
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: