[richfaces-issues] [JBoss JIRA] Closed: (RF-4712) hidden field javax.faces.ViewState is not sanitized
[
https://jira.jboss.org/jira/browse/RF-4712?page=com.atlassian.jira.plugin...
]
Gerrit Brehmer closed RF-4712.
------------------------------
Resolution: Duplicate Issue
duplicated RF-4713
hidden field javax.faces.ViewState is not sanitized
---------------------------------------------------
Key: RF-4712
URL: https://jira.jboss.org/jira/browse/RF-4712
Project: RichFaces
Issue Type: Bug
Affects Versions: 3.2.2
Environment: jsf-ri 1.2_09-BETA1, WindowsXP, Firefox 3.0.0.3
Reporter: Gerrit Brehmer
Assignee: Viktor Volkov
Sorry for duplicating the old bug, but I think he had the same problem...
We had a Security Audit of our Web Portal and they found a possible Cross Site Scripting
Problem:
If I attach the following at any JSF site url I get a javascript popup:
?AJAXREQUEST=&javax.faces.ViewState=j_id1s"/><img+src=XX+onerror=alert(1)>
I know that we could filter each request.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira