OC-17705:Fix XSS finding in report #3516
Conversation
| escapedStr= escapedStr.replaceAll("<script>", ""); | ||
| escapedStr= escapedStr.replaceAll("</script>", ""); | ||
| escapedStr= escapedStr.replaceAll("<style>", ""); | ||
| escapedStr= escapedStr.replaceAll("</style>", ""); |
There was a problem hiding this comment.
I am not sure we need to replace these tags if you are escaping javascript in the line below
There was a problem hiding this comment.
In general, this seems like a big change and I am wary of the consequences of this change. I think we should limit the fix to the affected code by escaping javascript in the jsp that is displaying the query parameters. E.g. using a c:out tag will automatically escape the values.
There was a problem hiding this comment.
I agree that this'll be a big change if fix like this at code level, in this reported case, we use one 3rd party technology ---Jmesa dynamic tables (jmesa-2.4.2-oc.jar), so all page html code (include javascripts, css) are dynamically generated by the 3rd party library with the HTTP Request as one of the input, for example, in java class file ListStudySubjectsServlet.java, under the method createTable() will use below line to create table html:
String findSubjectsHtml = factory.createTable(request, response).render();
There is no place to use c:out tag to intercept the output of the above method,
I will do more research at Nginx content security policy setting, hope can find solution by modification of nginx configuration
No description provided.