[jbossseam-issues] [JBoss JIRA] Updated: (JBSEAM-2204) Potential XSS issue in seam text with allowed href attribute

Christian Bauer (JIRA) jira-events at lists.jboss.org
Mon Nov 12 01:29:44 EST 2007

     [ http://jira.jboss.com/jira/browse/JBSEAM-2204?page=all ]

Christian Bauer updated JBSEAM-2204:

    Priority: Critical  (was: Major)

This is indeed a critical issue, both the href and the style attribute are vulnerable to attribute-based cross site scripting attacks. 

I didn't  know that you can execute expression() in CSS, this is another horrible IE extension. So that means that the style attribute can no longer be allowed by Seam Text. 


Alternative solution: Escape HTML attribute values.

> Potential XSS issue in seam text with allowed href attribute
> ------------------------------------------------------------
>                 Key: JBSEAM-2204
>                 URL: http://jira.jboss.com/jira/browse/JBSEAM-2204
>             Project: JBoss Seam
>          Issue Type: Bug
>          Components: Wiki
>    Affects Versions: 2.0.0.GA
>            Reporter: Christian Bauer
>         Assigned To: Christian Bauer
>            Priority: Critical
> We allow <a href="foo"/> in Seam Text, which can potentially be abused to inject Javascript executed in the context of the page. Need to evaluate impact of leaving or removing.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


More information about the seam-issues mailing list