Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-1897

Possible Cross-site Scripting Vulnerability

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: 6.5.3
    • Fix Version/s: 6.5.4
    • Component/s: General
    • Security Level: Jimmy
    • Labels:

      Description

      Should sanitize pi before sending back to browser

      package org.zkoss.web.util.resource;
      
      public class ClassWebResource {
      ...
          private void web0(..., String pi, ...) {
              ...
              data = ("(window.zk&&zk.error?zk.error:alert)('"+pi+" not found');").getBytes("UTF-8");
              ...
              out.write(data);
              ...
          }
      ...
      }
      

        Attachments

          Activity

            People

            • Assignee:
              RaymondChao RaymondChao
              Reporter:
              neillee neillee
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: