New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS in Failure() #463

Closed
NathanStrutz opened this Issue Dec 20, 2016 · 5 comments

Comments

Projects
None yet
2 participants
@NathanStrutz
Contributor

NathanStrutz commented Dec 20, 2016

It is possible to introduce a XSS type of hack by creating an incorrect action. Example:

/index.cfm?action=<script>alert(123)</script>

It can be mitigated by adding encodeForHTML() functions around variable outputs in the Failure() function.

@seancorfield

This comment has been minimized.

Show comment
Hide comment
@seancorfield

seancorfield Dec 20, 2016

Member

I'd consider it an edge case -- you should have your own error handler that does a better job. However, it's a valid point and now I'm no longer supporting older versions of CFML, a modern encoding function is fine. Per my comment on the PR, can you make that test pass too please, then I'll merge it.

Member

seancorfield commented Dec 20, 2016

I'd consider it an edge case -- you should have your own error handler that does a better job. However, it's a valid point and now I'm no longer supporting older versions of CFML, a modern encoding function is fine. Per my comment on the PR, can you make that test pass too please, then I'll merge it.

@seancorfield

This comment has been minimized.

Show comment
Hide comment
@seancorfield

seancorfield Feb 22, 2017

Member

@NathanStrutz Your PR still fails the CI tests...

Member

seancorfield commented Feb 22, 2017

@NathanStrutz Your PR still fails the CI tests...

@NathanStrutz

This comment has been minimized.

Show comment
Hide comment
@NathanStrutz

NathanStrutz Feb 24, 2017

Contributor

Yeah I'm lazy and busy. It's a bad combination. I'll get to it... soon.

Contributor

NathanStrutz commented Feb 24, 2017

Yeah I'm lazy and busy. It's a bad combination. I'll get to it... soon.

@seancorfield

This comment has been minimized.

Show comment
Hide comment
@seancorfield

seancorfield Feb 24, 2017

Member

Since yesterday, the CI tests are easier to run locally since it's all CommandBox/TestBox now, and all self-contained. No Ant, no MXUnit.

I'm only pestering you because I'm actively working on 4.1 this week :)

Member

seancorfield commented Feb 24, 2017

Since yesterday, the CI tests are easier to run locally since it's all CommandBox/TestBox now, and all self-contained. No Ant, no MXUnit.

I'm only pestering you because I'm actively working on 4.1 this week :)

@NathanStrutz

This comment has been minimized.

Show comment
Hide comment
@NathanStrutz

NathanStrutz Feb 24, 2017

Contributor

Oh that's great. Thanks. Maybe I should have put in a bug for that - I remember now that I couldn't get mxunit to run in Lucee, which was why I hadn't just churned it out. I'll give it another shot this weekend. Thank you!

Contributor

NathanStrutz commented Feb 24, 2017

Oh that's great. Thanks. Maybe I should have put in a bug for that - I remember now that I couldn't get mxunit to run in Lucee, which was why I hadn't just churned it out. I'll give it another shot this weekend. Thank you!

seancorfield added a commit that referenced this issue Feb 25, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment