[UP-3315] Fix some XSS issue around inputting usernames. The issue was ... #379
Conversation
…s occurring because "</script>" always terminates the JS block -- even if that's inside a string. The JS interpreter would terminate the block and then misinterpret the unterminated contents of the string as executable code. The *right* solution for this is probably to start whitelisting the input characters for every input field. Any field that will be part of a RESTful URL should not be allowed to contain the '/' character. The "solution" in this commit is intended as a stop-gap. It solves this biggest issue -- the XSS vulnerability -- but it doesn't fully solve the issues caused by invalid chars in the input. IMO, this is better than what we had, but still not great. (cherry picked from commit b034dec)
|
Note: I'm creating this PR for now just to get the PR setup. I'm 99% sure that it's fine, but so far have been unable to test in 4.0.15 due to issues I am having with initdb in the 4.0.15-SNAPSHOT branch. Will update when I get a chance to test better... -- k. Was able to test the basic XSS issue. There is still an issue w/ tomcat not allowing %2f ('/') but that is expected. |
|
I think this contribution would be better placed in the portlet-utils project in the portlet-mvc-util module, file org.jasig.web.jsp.JstlUtil so it could be used by portlets as well. |
|
Also, please revise the commit message (and pull request message) from [up-3315] ... to UP-3315 ... to follow conventions. |
jhelmer-unicon
changed the title
…s occurring because "</script>" always terminates the JS block -- even if that's inside a string. The JS interpreter would terminate the block and then misinterpret the unterminated contents of the string as executable code. The *right* solution for this is probably to start whitelisting the input characters for every input field. Any field that will be part of a RESTful URL should not be allowed to contain the '/' character. The "solution" in this commit is intended as a stop-gap. It solves this biggest issue -- the XSS vulnerability -- but it doesn't fully solve the issues caused by invalid chars in the input. IMO, this is better than what we had, but still not great. (cherry picked from commit b034dec)
…rtal into up-3315_patch
|
👍 |
|
Created issue uPortal-Project/portlet-utils#2 to track adding this functinality to portlet-util project. |
|
Looks good to me too. Merging. |
[UP-3315] Fix some XSS issue around inputting usernames. The issue was ...
|
Should probably have been opened on master, however. |
...occurring because "</script>" always terminates the
JS block -- even if that's inside a string. The JS interpreter would terminate the block and then misinterpret the unterminated
contents of the string as executable code. The right solution for this is probably to start whitelisting the
input characters for every input field. Any field that will be part of a RESTful URL should not be allowed to contain the '/'
character. The "solution" in this commit is intended as a stop-gap. It solves this biggest issue -- the XSS vulnerability --
but it doesn't fully solve the issues caused by invalid chars in the input. IMO, this is better than what we had, but
still not great.
(cherry picked from commit b034dec)