Problem with XSS

Splash Forums Rewrite Users Problem with XSS

Tagged: 

This topic contains 3 replies, has 3 voices, and was last updated by  Christian Kaltepoth 2 years, 9 months ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #25321

    Regui
    Participant

    I have a problem with XSS. I use pretty faces for URL Rewriting and manage parameters passing for URL. This parameters are mapped wit a bean. The problem is tha a user can ingect javascript by the URL. There is a solution, configuration o method for avoid this behavior.

    Paste the pretty-config
    <url-mapping id=”template”>
    <pattern value=”/home/#{template}/” />
    <view-id value=”/faces/pages/world.xhtml” />
    </url-mapping>
    <url-mapping id=”country”>
    <pattern value=”/#{codCountry}/” />
    <view-id value=”/faces/pages/world.xhtml” />
    </url-mapping>
    <url-mapping id=”countryTemp”>
    <pattern value=”/#{codCountry}/#{template}/” />
    <view-id value=”/faces/pages/world.xhtml” />
    </url-mapping>

    Thanks

    #25322

    You need to validate the values being passed in. This can be done with regexes[1], parameter validators[2], or by validating the value in your application code.

    [1] http://ocpsoft.org/docs/prettyfaces/3.3.3/en-US/html/Configuration.html#config.pathparams.regex
    [2] http://ocpsoft.org/docs/prettyfaces/3.3.3/en-US/html/Configuration.html#config.validation

    #25323

    Regui
    Participant

    Thanks for the quick response. I’ll check the links you send me.

    A greeting.

    #25325

    @regui: There will only be a XSS issue if you render the values of the parameters to the resulting HTML page without escaping them. If you escape them, there won’t be a problem.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

Comments are closed.