tduchateau
commented
9 years ago Hi,
Thanks for reporting wof! Could you please provide an example of XSS?
Thanks!
Closed wofwofwof closed 9 years ago
tduchateau
commented
9 years ago Hi,
Thanks for reporting wof! Could you please provide an example of XSS?
Thanks!
wofwofwof
commented
9 years ago Hello tduchateau, in petclinic go to the owner site, there edit one owner and add
<script>alert('xss')</script>in Address or City, then go to the owner list again and click auf search and you will see the message.
cheers wof
tduchateau
commented
9 years ago Reproduced. Thanks!
Hello, I've found it while trying https://github.com/spring-projects/spring-petclinic/. On the owner page you can put in XSS in Address and City.
For me it looks like the Tags with style
won't be escaped probably, only the title.
As far as I understand the source the fix should be in ColumnTag in method doEndTag or in AbstractColumnTag in method addDomBodyColumn. Just add the StringUtils.escape(this.escapeXml, this.property) as you have done for the title.
cheers
wof