Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS in Failure() #463

Closed
NathanStrutz opened this issue Dec 20, 2016 · 5 comments
Closed

XSS in Failure() #463

NathanStrutz opened this issue Dec 20, 2016 · 5 comments

Comments

@NathanStrutz
Copy link
Contributor

@NathanStrutz NathanStrutz commented Dec 20, 2016

It is possible to introduce a XSS type of hack by creating an incorrect action. Example:

/index.cfm?action=<script>alert(123)</script>

It can be mitigated by adding encodeForHTML() functions around variable outputs in the Failure() function.

@seancorfield
Copy link
Member

@seancorfield seancorfield commented Dec 20, 2016

I'd consider it an edge case -- you should have your own error handler that does a better job. However, it's a valid point and now I'm no longer supporting older versions of CFML, a modern encoding function is fine. Per my comment on the PR, can you make that test pass too please, then I'll merge it.

@seancorfield
Copy link
Member

@seancorfield seancorfield commented Feb 22, 2017

@NathanStrutz Your PR still fails the CI tests...

@NathanStrutz
Copy link
Contributor Author

@NathanStrutz NathanStrutz commented Feb 24, 2017

Yeah I'm lazy and busy. It's a bad combination. I'll get to it... soon.

@seancorfield
Copy link
Member

@seancorfield seancorfield commented Feb 24, 2017

Since yesterday, the CI tests are easier to run locally since it's all CommandBox/TestBox now, and all self-contained. No Ant, no MXUnit.

I'm only pestering you because I'm actively working on 4.1 this week :)

@NathanStrutz
Copy link
Contributor Author

@NathanStrutz NathanStrutz commented Feb 24, 2017

Oh that's great. Thanks. Maybe I should have put in a bug for that - I remember now that I couldn't get mxunit to run in Lucee, which was why I hadn't just churned it out. I'll give it another shot this weekend. Thank you!

seancorfield added a commit that referenced this issue Feb 25, 2017
Fix for #463 - XSS in failure()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.