Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-3550

Externalize dsp servlet from zweb to separate dependency

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Normal
    • Resolution: Done
    • Affects Version/s: 8.0.3
    • Fix Version/s: 9.0.0
    • Component/s: None
    • Security Level: Jimmy
    • Labels:
    • gh.sprint.customfield.default.name:
      ZK 8.6.0 S1, ZK 8.6.0 S2, ZK 9.0.0 S0, ZK 9.0.0 S1

      Description

      In curent ZK release:
      DSP Servlet is part of zweb, which is loaded as dependency from zk.jar for most projects.

      dsp servlet returns a number of potential XSS vulnerabilities from security scanning, in ForEach and InterpreterServlet
      From initial checks, theses vulnerabilities are inherent to page composition in with dsp.

      This doesn't affect ZK unless the dsp server is activated in web.xml, but it could be beneficial to externalize dsp servlet to it's own package, and make it available for users requiring it, but not included by default.

      See attached scan (performed on zk 7.0.5) for details on the possible XSS vulnerabilites

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                DevChu DevChu
                Reporter:
                MDuchemin MDuchemin
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: