Major I don't know how this relates to ZK-1720 and ZK-1961, but in Release 6.5.3 it seems to be still an issue: One of our customers reported a possible security issue. He was able to inject JavaScript code in the SID and UUID parameters sent to the server during uploads. Both parameters seem to be sent back to the client in the Servlets.forward() call without beeing checked against JavaScript code.
- is duplicated by
-
ZK-3899 fileupload.html.dsp has XSS problem
-
- Closed
-