Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Later
Fix Version/s: 10.0.0
Affects Version/s: 9.6.1
Component/s: None
Security Level: Jimmy
Labels:
- XSS
- grid
- listbox

Steps to Reproduce

1. run the zul

Current Result

the js script gets executed

Expected Result

the js script doesn't get executed

Debug Information

according to https://www.zkoss.org/wiki/ZK_Developer%27s_Reference/Security_Tips/Cross-site_scripting#What_ZK_Encodes, ZK should also encode this attribute like other components do, e.g. chosenbox emptyMessage is encoded.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

xss-html-escape.zul
0.3 kB
19/May/22 6:50 AM

relates to

ZK-5182 Prevent XSS issue in component attributes

Closed

Assignee:: jumperchen

Reporter:: hawk

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 19/May/22 6:52 AM

Updated:: 29/Dec/23 9:19 AM

Resolved:: 29/Dec/23 9:19 AM