search

ninjaframework / ninja

Ninja is a full stack web framework for Java. Rock solid, fast and super productive.
http://www.ninjaframework.org
Apache License 2.0
1.91k stars 520 forks source link

XSS in example blog application #671

Closed fxb-cocacoding closed 3 years ago

fxb-cocacoding commented 5 years ago

If you run the example blog application via

mvn archetype:generate -DarchetypeGroupId=org.ninjaframework -DarchetypeArtifactId=ninja-servlet-jpa-blog-archetype

then the example application has a persistent cross site scripting vulnerability. You can reproduce this behavior if you create a new blog entry with

<script>alert('xss')</script>

raphaelbauer commented 5 years ago

Wonderful finding! Would you mind fixing the archetype?

llenrup commented 5 years ago

No HTML is being escaped after update to the latest version of freemarker as it changed various things . See my pull request for a way around this.