[richfaces-issues] [JBoss JIRA] Updated: (RF-3916) a4j:htmlCommandLink doesn't encode its value

Wednesday, 16 July 2008

     [
http://jira.jboss.com/jira/browse/RF-3916?page=com.atlassian.jira.plugin....
]

Lars Koedderitzsch updated RF-3916:
-----------------------------------

    Priority: Blocker  (was: Critical)

HtmlCommandLinkRenderer should probably user writer.writeText() (instead of
writer.write()) in its encodeValue method.

...
 a4j:htmlCommandLink doesn't encode its value
 --------------------------------------------

                 Key: RF-3916
                 URL: http://jira.jboss.com/jira/browse/RF-3916
             Project: RichFaces
          Issue Type: Bug
    Affects Versions: 3.1.2
            Reporter: Lars Koedderitzsch
            Priority: Blocker

 a4j:htmlCommandLink doesn't encode its value - which opens a door for malicious
attacks against RichFaces applications, e.g. the injection of scripts.
 The bug is also present in 3.2.1. 
-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

[richfaces-issues] [JBoss JIRA] Updated: (RF-3916) a4j:htmlCommandLink doesn't encode its value