Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tooltip: XSS in target title #5642

Closed
dgusoft opened this issue Mar 4, 2020 · 3 comments
Closed

Tooltip: XSS in target title #5642

dgusoft opened this issue Mar 4, 2020 · 3 comments
Assignees
Labels
6.2.30 7.0.13 🐞 defect Something isn't working 🔒 security Security related issue or enhancement
Milestone

Comments

@dgusoft
Copy link

dgusoft commented Mar 4, 2020

1) Environment

  • PrimeFaces version: 7.0.11
  • Does it work on the newest released PrimeFaces version? No
  • Does it work on the newest sources in GitHub? No
  • Affected browsers: all

2) Expected behavior

Proper escaping of title referenced by p:tooltip for .

3) Actual behavior

Target title not escaped in tooltip.js if this.cfg.target is set in tooltip.js.

4) Steps to reproduce

5) Sample XHTML

<p:inputText id="focus" title="This tooltip is displayed when input gets the focus<script>alert('xss');</script>" />
<p:tooltip id="toolTipFocus" for="focus" showEvent="focus" hideEvent="blur" />

6) Sample bean

7) Solution

This error was fixed for the bindGlobal function in tooltip.js with #4394. Same solution should be applied to Function bindTarget.
The line
this.cfg.escape = (this.cfg.escape === undefined) ? true : this.cfg.escape;
must be added at top of bindTarget.

@melloware
Copy link
Member

First trying your example I get this error:

javax.servlet.ServletException: javax.servlet.ServletException: Error Parsing /test.xhtml: Error Traced[line: 14] The value of attribute "title" associated with an element type "p:inputText" must not contain the '<' character.

But if I make it...

<p:inputText id="focus" title="This tooltip is displayed when input gets the focus&lt;script&gt;alert('xss');&lt;/script&gt;" />
<p:tooltip id="toolTipFocus" for="focus" showEvent="focus" hideEvent="blur" />

Then I can reprorduce it with this reproducer.
pf-5642.zip

@melloware melloware added the 🐞 defect Something isn't working label Mar 4, 2020
@melloware melloware self-assigned this Mar 4, 2020
@melloware melloware added this to the 8.0 milestone Mar 4, 2020
@melloware melloware changed the title tooltip: XSS in target title Tooltip: XSS in target title Mar 4, 2020
melloware added a commit to melloware/primefaces that referenced this issue Mar 4, 2020
@melloware melloware added the 🔒 security Security related issue or enhancement label Mar 4, 2020
@dgusoft
Copy link
Author

dgusoft commented Mar 4, 2020

Sorry for the copy&paste error. Thanks for the quick error fix. Will the fix be ported to 7.0.x?

@melloware
Copy link
Member

That is up to @mertsincan to port it to Elite.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
6.2.30 7.0.13 🐞 defect Something isn't working 🔒 security Security related issue or enhancement
Projects
None yet
Development

No branches or pull requests

3 participants