Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-2407

XSS Vulnerability in textbox.setValue()

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • 7.0.3, 6.5.8
    • 6.5.6, 7.0.2
    • None
    • Security Level: Jimmy

      Problem Description

      One customer reported:

      After applying a composer with setValue("</script foo=bar>") the application breaks as described below. This is very important to support this case while users may want to refresh the view by ctrl-F5 (Command-R) and the values stored must be served in this case from the session.

      Steps to Reproduce

      1. use attached project zip file

      Actual Result

      Extra Information

      Please also fix it in 6.5.x.

        1. Screen Shot 2014-07-14 at 10.35.06.png
          Screen Shot 2014-07-14 at 10.35.06.png
          33 kB
        2. zk-xss-demo.zip
          10 kB

            Jenkins Jenkins
            hawk hawk
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: