-
Bug
-
Resolution: Fixed
-
Normal
-
9.6.1
-
None
-
Security Level: Jimmy
-
None
-
None
Steps to Reproduce
1. add <?page title="</title><script>alert('XSS')</script>"?> into a blank zul
or add <?page viewport="\"><script>alert('XSS')</script>"?> and visit with a mobile browser
Alternative steps
1. <?page title="${param.title}"?>
2. visit http://localhost:8080/zk9support/ticket/zk-5161.zul?title=</title><script>alert('XSS')</script>
Current Result
the browser executes alert()
Expected Result
the browser doesn't execute the script
Debug Information
1. other directives encode the attribute values when outputting to HTML like:
<?meta name="'><script>" content="\"><script>alert('XSS')</script>"?> <?root-attributes anyname="\"><script>alert('XSS')</script>"?>
So there is a inconsistency of encoding values among all directives.
2. this unencoded content could cause an XSS issue.
Workaround
escapes HTML characters manually.