ICEfaces
  1. ICEfaces
  2. ICE-7595

JavaScript echo through focus parameter

          Details

          • Type: Bug Bug
          • Status: Closed
          • Priority: Major Major
          • Resolution: Fixed
          • Affects Version/s: 3.0.RC1
          • Fix Version/s: 3.0, EE-1.8.2.GA_P04
          • Component/s: Framework
          • Labels:
            None
          • Environment:
            ICEfaces

            Description


            If the ice.focus parameter is set to contain JavaScript, this may be executed on a subsequent page view.

            As mentioned in the forum post, setting ice.focus:

            ice.focus=form.starSearchClient');alert('Xss

            will allow the JavaScript to be executed because the page contains:

            Ice.focus.setFocus('form.startSearclClient');alert('Xss');

              Activity

              Ascending order - Click to sort in descending order
              Ted Goddard created issue -
              Ted Goddard made changes -
              Field Original Value New Value
              Assignee Ken Fyten [ ken.fyten ]
              Ted Goddard made changes -
              Salesforce Case []
              Fix Version/s EE-1.8.2.GA_P04 [ 10280 ]
              Ken Fyten made changes -
              Salesforce Case []
              Assignee Priority P2
              Assignee Ken Fyten [ ken.fyten ] Mircea Toma [ mircea.toma ]
              Mircea Toma made changes -
              Status Open [ 1 ] Resolved [ 5 ]
              Resolution Fixed [ 1 ]
              Ken Fyten made changes -
              Status Resolved [ 5 ] Closed [ 6 ]

                People

                • Assignee:
                  Mircea Toma
                  Reporter:
                  Ted Goddard
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  0 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: