Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 1.8.2-EE-GA_P01, 2.0-Beta2
-
Fix Version/s: 2.0.0
-
Component/s: Framework, ICE-Components
-
Labels:None
-
Environment:All
-
Workaround Exists:Yes
-
Workaround Description:
Description
The ICEfaces output component are not escaped by default which makes them vulnerable to cross site scripting attacks. The <ice:outputText> uses the escape attribute but the other output components do not (ex: <ice:selectOneMenu/>). Doing a test in a pure JSF application reveals that the JSF framework by default filters/escapes JavaScript by default.
-
Hide
-
-
META-INF/MANIFEST.MF
-
META-INF/context.xml
-
WEB-INF/classes/.../example/TestBean.class
-
WEB-INF/faces-config.xml
-
WEB-INF/lib/FastInfoset.jar
-
WEB-INF/lib/backport-util-concurrent.jar
-
WEB-INF/lib/commons-beanutils.jar
-
WEB-INF/lib/commons-collections.jar
-
WEB-INF/lib/commons-digester.jar
-
WEB-INF/lib/commons-discovery.jar
-
WEB-INF/lib/commons-el.jar
-
WEB-INF/lib/commons-fileupload.jar
-
WEB-INF/lib/commons-lang.jar
-
WEB-INF/lib/commons-logging.jar
-
WEB-INF/lib/icefaces-comps.jar
-
WEB-INF/lib/icefaces.jar
-
WEB-INF/lib/jsf-api-1.2.jar
-
WEB-INF/lib/jsf-impl-1.2.jar
-
WEB-INF/web.xml
-
display-listbox-page.jspx
-
display-page.jspx
-
index.jsp
-
main.jspx
-
page.jspx
-
-
-
Hide
-
-
META-INF/MANIFEST.MF
-
META-INF/context.xml
-
WEB-INF/classes/.../example/TestBean.class
-
WEB-INF/faces-config.xml
-
WEB-INF/lib/commons-beanutils.jar
-
WEB-INF/lib/commons-collections.jar
-
WEB-INF/lib/commons-digester.jar
-
WEB-INF/lib/commons-logging.jar
-
WEB-INF/lib/jsf-api.jar
-
WEB-INF/lib/jsf-impl.jar
-
WEB-INF/lib/jstl.jar
-
WEB-INF/lib/standard.jar
-
WEB-INF/web.xml
-
display-listbox-page.jsp
-
display-page.jsp
-
welcomeJSF.jsp
-
-
-
Hide
-
-
Case9225Example2/build.xml
-
Case9225Example2/.../ant-deploy.xml
-
Case9225Example2/.../build-impl.xml
-
Case9225Example2/.../faces-config.NavData
-
Case9225Example2/.../genfiles.properties
-
Case9225Example2/.../private.properties
-
Case9225Example2/nbproject/.../private.xml
-
Case9225Example2/.../project.properties
-
Case9225Example2/nbproject/project.xml
-
Case9225Example2/src/conf/MANIFEST.MF
-
Case9225Example2/src/.../TestBean.java
-
Case9225Example2/.../display-listbox-page.jsp
-
Case9225Example2/web/display-page.jsp
-
Case9225Example2/web/.../context.xml
-
Case9225Example2/web/.../faces-config.xml
-
Case9225Example2/web/WEB-INF/web.xml
-
Case9225Example2/web/welcomeJSF.jsp
-
Case9225Example/build.xml
-
Case9225Example/nbproject/ant-deploy.xml
-
Case9225Example/nbproject/build-impl.xml
-
Case9225Example/.../faces-config.NavData
-
Case9225Example/.../genfiles.properties
-
Case9225Example/.../private.properties
-
Case9225Example/nbproject/.../private.xml
-
Case9225Example/.../project.properties
-
Case9225Example/nbproject/project.xml
-
Case9225Example/src/conf/MANIFEST.MF
-
Case9225Example/src/.../TestBean.java
-
Case9225Example/.../display-listbox-page.jspx
-
Case9225Example/web/display-page.jspx
-
-
Activity
- All
- Comments
- History
- Activity
- Remote Attachments
- Subversion
| Field | Original Value | New Value |
|---|---|---|
| Attachment | Case9225Example2.war [ 12423 ] |
| Attachment | Case9225Example.war [ 12424 ] |
| Attachment | Case9225ExampleCode.zip [ 12425 ] |
| Salesforce Case | [5007000000C47HV] |
| Fix Version/s | 1.8.2-EE-GA_P02 [ 10226 ] | |
| Fix Version/s | 1.8.3 [ 10211 ] |
| Assignee Priority | P1 | |
| Assignee | Greg Dick [ greg.dick ] |
| Assignee | Greg Dick [ greg.dick ] | Ted Goddard [ ted.goddard ] |
| Fix Version/s | 2.0.0 [ 10230 ] | |
| Fix Version/s | 1.8.3 [ 10211 ] | |
| Fix Version/s | 1.8.2-EE-GA_P02 [ 10226 ] | |
| Assignee Priority | P1 | |
| Affects Version/s | 2.0-Beta2 [ 10242 ] |
| Attachment | showcase-additions.zip [ 12670 ] |
| Status | Open [ 1 ] | Resolved [ 5 ] |
| Resolution | Fixed [ 1 ] |
| Security | Private [ 10001 ] |
| Status | Resolved [ 5 ] | Closed [ 6 ] |