[jbossseam-issues] [JBoss JIRA] Closed: (JBSEAM-2204) Potential XSS issue in seam text with allowed href attribute

Christian Bauer (JIRA) jira-events at lists.jboss.org
Mon Nov 12 02:42:44 EST 2007

     [ http://jira.jboss.com/jira/browse/JBSEAM-2204?page=all ]

Christian Bauer closed JBSEAM-2204.

    Fix Version/s: 2.0.1.GA
       Resolution: Done

Resolved this (I hope) by not allowing double or single quotes in HTML attribute values. This should prevent attribute-based attacks, such as simply embedding Javascript in the HREF attribute. 

Also removed the <embed> and <object> tags from the allowed list, these would open up XSS holes by executing Flash movies in the page context. 

> Potential XSS issue in seam text with allowed href attribute
> ------------------------------------------------------------
>                 Key: JBSEAM-2204
>                 URL: http://jira.jboss.com/jira/browse/JBSEAM-2204
>             Project: JBoss Seam
>          Issue Type: Bug
>          Components: Wiki
>    Affects Versions: 2.0.0.GA
>            Reporter: Christian Bauer
>         Assigned To: Christian Bauer
>            Priority: Critical
>             Fix For: 2.0.1.GA
> We allow <a href="foo"/> in Seam Text, which can potentially be abused to inject Javascript executed in the context of the page. Need to evaluate impact of leaving or removing.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


More information about the seam-issues mailing list