XSS in triStateCheckbox #3772

cnsgithub · 2018-06-12T08:38:44Z

1) Environment

PrimeFaces version: 6.3-snapshot

2) Expected behavior

Proper escaping of attributes stateOneTitle, stateTwoTitle, stateThreeTitle.

3) Actual behavior

The mentioned attributes are not escaped at all.

4) Steps to reproduce

Modify first p:triStateCheckbox of showcase to
<p:triStateCheckbox value="#{triStateCheckboxView.value1}" stateOneTitle="" onmouseover="alert('stateOneTitle xss');" " stateTwoTitle="" onmouseover="alert('stateTwoTitle xss');" " stateThreeTitle="" onmouseover="alert('stateThreeTitle xss');" "/>

Hovering first checkbox will trigger alert box.

5) Sample XHTML

see above

6) Sample bean

showcase

The text was updated successfully, but these errors were encountered:

cnsgithub · 2018-06-12T11:18:48Z

@tandraschko Could you please add the security label? Thanks.

Pull request: #3773. Please carefully read the PR comment.

cnsgithub · 2018-06-12T11:43:04Z

Ah okay, @Rapster is a member now and also may add those labels. 😉

Rapster added the 🔒 security Security related issue or enhancement label Jun 12, 2018

tandraschko closed this as completed in 91ac62c Jun 12, 2018

tandraschko added this to the 6.3 milestone Jun 12, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

XSS in triStateCheckbox #3772

XSS in triStateCheckbox #3772

cnsgithub commented Jun 12, 2018

cnsgithub commented Jun 12, 2018

cnsgithub commented Jun 12, 2018

XSS in triStateCheckbox #3772

XSS in triStateCheckbox #3772

Comments

cnsgithub commented Jun 12, 2018

1) Environment

2) Expected behavior

3) Actual behavior

4) Steps to reproduce

5) Sample XHTML

6) Sample bean

cnsgithub commented Jun 12, 2018

cnsgithub commented Jun 12, 2018