[richfaces-issues] [JBoss JIRA] Updated: (RF-4712) hidden field javax.faces.ViewState is not sanitized

[ https://jira.jboss.org/jira/browse/RF-4712?page=com.atlassian.jira.plugin... ] Gerrit Brehmer updated RF-4712: ------------------------------- Environment: jsf-ri 1.2_09-BETA1, WindowsXP, Firefox 3.0.0.3 (was: jsf-ri 1.2_06-b02-FCS, facelets 1.1.13, RichFaces 3.1.2SP1, WindowsXP(x86_64)) Fix Version/s: (was: 3.2.0) Affects Version/s: 3.2.2 (was: 3.1.2) Description: Sorry for duplicating the old bug, but I think he had the same problem... We had a Security Audit of our Web Portal and they found a possible Cross Site Scripting Problem: If I attach the following at any JSF site url I get a javascript popup: ?AJAXREQUEST=&javax.faces.ViewState=j_id1s"/><img+src=XX+onerror=alert(1)> I know that we could filter each request. was: Here is the sample facelets page in my application that produces the symptom. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:f="http://java.sun.com/jsf/core" xmlns:h="http://java.sun.com/jsf/html" xmlns:ui="http://java.sun.com/jsf/facelets" xmlns:a4j="http://richfaces.org/a4j" xmlns:rich="http://richfaces.org/rich" xmlns="http://www.w3.org/1999/xhtml" > <head> <title></title> </head> <body> <f:view> <h:form> <rich:panel header="Simple Echo"> <h:inputText size="20" value="#{startupBean.command}" > <a4j:support event="onkeyup" reRender="ruleTest" action="#{startupBean.doApprove}"/> </h:inputText> <h:outputText value="#{startupBean.result}" id="ruleTest"/> </rich:panel> </h:form> </f:view> </body> </html> The fist time rendered output like following, <?xml version="1.0"?> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title></title><link type="text/css" rel="stylesheet" href="/a4j_3_1_2.GAcss/panel.xcss/DATB/eAGTWzQ.BgAD.AG8.jsf" /><script type="text/javascript" src="/a4j_3_1_2.GAorg.ajax4jsf.javascript.AjaxScript.jsf"> </script></head> <body><span id="j_id2:ruleTest">world</span><meta name="Ajax-Update-Ids" content="j_id2:ruleTest" /><span id="ajax-view-state"><input type="hidden" name="javax.faces.ViewState" id="javax.faces.ViewState" value="_id2" /></span><meta id="Ajax-Response" name="Ajax-Response" content="true" /></body> </html> When the javax.faces.ViewState hidden param injection made a Post Request like below AJAXREQUEST=_viewRoot&j_id2=j_id2&j_id2%3Aj_id4=hello&javax.faces.ViewState=_id2"<script>alert(document.cookie);</script>&j_id2%3Aj_id5=j_id2%3Aj_id5& rendered response is <?xml version="1.0"?> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title></title><link type="text/css" rel="stylesheet" href="/a4j_3_1_2.GAcss/panel.xcss/DATB/eAGTWzQ.BgAD.AG8.jsf" /><script type="text/javascript" src="/a4j_3_1_2.GAorg.ajax4jsf.javascript.AjaxScript.jsf"> </script></head> <body><span id="j_id2:ruleTest">world</span><meta name="Ajax-Update-Ids" content="j_id2:ruleTest" /><span id="ajax-view-state"><input type="hidden" name="javax.faces.ViewState" id="javax.faces.ViewState" value="_id2" /><script type="text/javascript">//<![CDATA[ alert(document.cookie); //]]> </script>" /&gt;</span><meta id="Ajax-Response" name="Ajax-Response" content="true" /></body></html> I'm not sure it's jsf-ri issue or richfaces, but if javax.faces.STATE_SAVING_METHOD set to client, I couldn't reproduce the same issue. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira