New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[doc] Missing escaping leads to XSS #1468

Closed
adangel opened this Issue Nov 15, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@adangel
Copy link
Member

adangel commented Nov 15, 2018

Description:
As pointed out in #1464

The documentation is however generated, so we have to fix the generator.
So, it's changed back already: fda3aa1

The generator produces out of jsp security.xml this markdown representation:

https://raw.githubusercontent.com/pmd/pmd/master/docs/pages/pmd/rules/jsp/security.md

Scroll down to the rule "NoUnsanitizedJSPExpression" - the description contains the html tag, while in XML, we were using escapes.

Tasks:

  • Unit test in pmd-doc to reproduce the problem and avoid it from appearing again
  • Fix the problem
  • Push to master and let pmd-bot regenerate the new files

@adangel adangel self-assigned this Nov 15, 2018

@adangel adangel added this to the 6.10.0 milestone Nov 15, 2018

adangel added a commit to adangel/pmd that referenced this issue Nov 15, 2018

adangel added a commit to adangel/pmd that referenced this issue Nov 18, 2018

@adangel adangel added the has:pr label Nov 25, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment