Add XSS protection - Githubissues

me0wster / javamelody

Automatically exported from code.google.com/p/javamelody

0 stars 0 forks source link

Add XSS protection #252

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

My app failed a penetration test because of XSS vulnerabilities in Java Melody.
Particulary, URL parameters such as SessionID are output to HTML unescaped, 
which allows the injection of malicious javascript 
All variables or parameters should be HTML and/or URL encoded when output to 
HTML pages.

Original issue reported on code.google.com by jon.ner...@gmail.com on 10 Sep 2012 at 4:53

GoogleCodeExporter commented 9 years ago

Can you give more details about this, including the different cases if you have?
You can certainly send it in private to me (evernat _at_ free.fr).

Original comment by evernat@free.fr on 10 Sep 2012 at 10:39

Added labels: ****
Removed labels: ****

GoogleCodeExporter commented 9 years ago

This is now fixed and ready for the next release (1.41).

If you do not want to wait for the release, I have made a new build of the jar 
file, and of the war of the collect server, including the fix:
http://javamelody.googlecode.com/files/javamelody-20120916.jar
http://javamelody.googlecode.com/files/javamelody-20120916.war

If the optional collect server is used, then using this new war of the collect 
server is certainly enough to fix the issue.

Thanks

Original comment by evernat@free.fr on 16 Sep 2012 at 10:16

Changed state: Fixed
Added labels: ****
Removed labels: ****

GoogleCodeExporter commented 9 years ago

The fix is included in the v1.41 release, which is now available at:
https://code.google.com/p/javamelody/downloads/list

Original comment by evernat@free.fr on 1 Oct 2012 at 8:44

Added labels: ****
Removed labels: ****