You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
AEM Version, including Service Packs, Cumulative Fix Packs, etc: 6.3
ACS AEM Commons Version: 3.14.10
Reproducible on Latest? yes
Expected Behavior
When a generic list page or item contains html code it should be adequately encoded when rendered on the page to prevent an XSS attack
Actual Behavior
Content is rendered without escaping
Steps to Reproduce
Install ACS Commons
Create a new generic list page and enter the title as <script type="text/javascript">alert('1');</script>
Drag an ACS commons generic list item into the page and enter the title as <script type="text/javascript">alert('2');</script>. Enter the value as <script type="text/javascript">alert('3');</script>
When the page is opened observe that you are prompted with alerts 1, 2 and 3.
Required Information
Expected Behavior
When a generic list page or item contains html code it should be adequately encoded when rendered on the page to prevent an XSS attack
Actual Behavior
Content is rendered without escaping
Steps to Reproduce
Install ACS Commons
Create a new generic list page and enter the title as <script type="text/javascript">alert('1');</script>
Drag an ACS commons generic list item into the page and enter the title as <script type="text/javascript">alert('2');</script>. Enter the value as <script type="text/javascript">alert('3');</script>
When the page is opened observe that you are prompted with alerts 1, 2 and 3.
Links
acs-commons-genericlist-xss-test.zip
The text was updated successfully, but these errors were encountered: