Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-5182

Prevent XSS issue in component attributes

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Normal Normal
    • 10.0.0
    • 8.6.4.1, 9.6.5
    • None
    • None

      Affected versions

      All before 10.0.1

      User Story

      Some ZK components handle XSS issues by encoding user input, but not cover all component attributes.

      Acceptance Criteria

      Encoding by default, and use white list.

      Details

      Workaround

      <script> 
      		/**
      		 * Purpose: Workaround Prevent XSS exploit on attributes
      		 * For version: 8.X to 10.X
      		 * Last update: 10.0.0
      		 */
      		zk.afterLoad('zk', function() {
      		    var xWidget = {};
      		    zk.override(zk.Widget.prototype, xWidget, {
      		        domTooltiptext_ : function() {
      		            var result = xWidget.domTooltiptext_.apply(this, arguments);
      		            return zUtl.encodeXMLAttribute(result);
      		        },
      		        domClass_ : function() {
      		            var result = xWidget.domClass_.apply(this, arguments);
      		            return zUtl.encodeXMLAttribute(result);
      		        }
      		    });//zk.override
      		});//zk.afterLoad
      	</script>
      

            jumperchen jumperchen
            DevChu DevChu
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: