Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ColumnToggler: XSS caused by script tags in headerText of Column #4913

Closed
torbenw opened this issue Jun 20, 2019 · 5 comments

Comments

Projects
None yet
6 participants
@torbenw
Copy link

commented Jun 20, 2019

1) Environment

  • PrimeFaces version: 6.2.19
  • Application server + version: Apache Tomcat 8.5.13
  • Affected browsers: Internet Explorer 11, Firefox 67.0.3, Chrome 75

2) Expected behavior

The headerText should be treated as text in the ColumnToggler. HTML tags and code should be escaped. The headerText is already properly escaped in the DataTable's header.

3) Actual behavior

A script tag in the headerText of a Column is executed when a ColumnToggler is attached to the DataTable and the page is loaded. The headerText is not escaped in the ColumnToggler.

4) Steps to reproduce

  1. Open the provided XHTML example page.
  2. An alert "xss" will be displayed.

5) Sample XHTML

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:h="http://java.sun.com/jsf/html" xmlns:f="http://java.sun.com/jsf/core" xmlns:p="http://primefaces.org/ui">
  <h:head />
  <h:body>
    <p:dataTable id="table">
      <f:facet name="header">
        <p:commandButton id="toggler" type="button" value="Toggler" />
        <p:columnToggler datasource="table" trigger="toggler" />
      </f:facet>
      <p:column headerText="&lt;script&gt;alert('xss')&lt;/script&gt;" />
    </p:dataTable>
  </h:body>
</html>

6) Sample bean

Not needed.

@melloware

This comment has been minimized.

Copy link
Contributor

commented Jun 20, 2019

I will fix this. @Rapster can you add the security label please?

@Rapster Rapster added the security label Jun 20, 2019

tandraschko added a commit that referenced this issue Jun 20, 2019

Merge pull request #4914 from melloware/PF4913
Fix #4913: ColumnToggler XSS in column labels.

@tandraschko tandraschko added this to the 7.1 milestone Jun 20, 2019

@ttsiebzehntt

This comment has been minimized.

Copy link

commented Jun 21, 2019

@tandraschko Are you going to fix this in 6.2.x? If yes, when can we expect a fix?

@melloware

This comment has been minimized.

Copy link
Contributor

commented Jun 21, 2019

that would be @mertsincan who controls the Elite releases.

@ttsiebzehntt

This comment has been minimized.

Copy link

commented Jul 2, 2019

@mertsincan Any chance to get this into 6.2.22?

@mertsincan

This comment has been minimized.

Copy link
Member

commented Jul 9, 2019

Fixed for 6.2.22 and 7.0.5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.