Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-1750

Veracode report security flaw

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Normal Normal
    • 7.0.2
    • 5.0.10
    • None
    • None

      Hi,

      We are using zk-5.0.10.jar and a Veracode analysis found a vulnerability in org.zkoss.zk.ui.sys.HtmlPageRenders line 616.

      This is the report:

      Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

      Description
      This call contains a cross-site scripting (XSS) flaw. The application populates the HTTP response with user-supplied
      input, allowing an attacker to embed malicious content, such as Javascript code, which will be executed in the context
      of the victim's browser. XSS vulnerabilities are commonly exploited to steal or manipulate cookies, modify presentation
      of content, and compromise confidential information, with new attack vectors being discovered on a regular basis..

      Recommendations
      Use contextual escaping on all untrusted data before using it to construct any portion of an HTTP response. The
      escaping method should be chosen based on the specific use case of the untrusted data, otherwise it may not protect
      fully against the attack. For example, if the data is being written to the body of an HTML page, use HTML entity
      escaping; if the data is being written to an attribute, use attribute escaping; etc. Both the OWASP ESAPI library for
      Java and the Microsoft AntiXSS library provide contextual escaping methods. For more details on contextual escaping,
      see https://www.owasp.org/index.php/XSS_%%28Cross_Site_Scripting%%29_Prevention_Cheat_Sheet. In addition,
      as a best practice, always validate user-supplied input to ensure that it conforms to the expected format, using
      centralized data validation routines when possible.

      I look forward to hearing your comments.
      Thx in advanced!

            jumperchen jumperchen
            davidfg davidfg
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: