XSS Vulnerability in generic lists #1417
Milestone
Comments
josephrignanese
added a commit
to josephrignanese/acs-aem-commons
that referenced
this issue
Jul 6, 2018
justinedelson
added a commit
that referenced
this issue
Jul 7, 2018
[bugfix #1417] Added XSS encoding for genericlist components
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Required Information
Expected Behavior
When a generic list page or item contains html code it should be adequately encoded when rendered on the page to prevent an XSS attack
Actual Behavior
Content is rendered without escaping
Steps to Reproduce
Install ACS Commons
Create a new generic list page and enter the title as <script type="text/javascript">alert('1');</script>
Drag an ACS commons generic list item into the page and enter the title as <script type="text/javascript">alert('2');</script>. Enter the value as <script type="text/javascript">alert('3');</script>
When the page is opened observe that you are prompted with alerts 1, 2 and 3.
Links
acs-commons-genericlist-xss-test.zip
The text was updated successfully, but these errors were encountered: