Skip to content

Commit

Permalink
ZCS-1795 Persistent XSS happens on textbox
Browse files Browse the repository at this point in the history 
Issue:
- Error text in form fields were executing text in dom, which can be used for XSS attacks

Resolution:
- Before adding error to DOM, html encode the text to make sure it is not executed in browser
- This is done at a generic place so it will affect error display for all form fields
  • Loading branch information
@silentsakky
silentsakky committed Jul 24, 2017
1 parent 8717fbd commit 8d039d6
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion WebRoot/js/ajax/dwt/xforms/XFormItem.js
View file
Expand Up @@ -688,7 +688,7 @@ XFormItem.prototype.setError = function(message, childError) {
this.getForm().addErrorItem(this);
this.__errorState = XFormItem.ERROR_STATE_ERROR;
var container = this.getErrorContainer(true);
if (container) container.innerHTML = message;
if (container) container.innerHTML = AjxStringUtil.htmlEncode(message);
};

/**
Expand Down

0 comments on commit 8d039d6

Please sign in to comment.