Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Chip: XSS through label attribute #8527

Closed
cnsgithub opened this issue Mar 8, 2022 · 3 comments · Fixed by #8534
Closed

Chip: XSS through label attribute #8527

cnsgithub opened this issue Mar 8, 2022 · 3 comments · Fixed by #8534
Assignees
Labels
10.0.17 11.0.3 🔒 security Security related issue or enhancement
Milestone

Comments

@cnsgithub
Copy link
Contributor

First of all: It had been a long time since I was active and contributed some things like OWASP encoder to achieve better XSS mitigation. Now I'm a bit disappointed, the OWASP encoder is still in place, but it's not used consistently in new components. This issue describes the third XSS vulnerability I've identified in just a few minutes. :-(

Describe the defect
The attribute label of p:chip is subject to XSS.

Environment:

  • PF Version: 12.0.0

To Reproduce
Steps to reproduce the behavior:
Set the label of p:chip like this (e.g. in chip.xhtml of showcase)

<p:chip label="Apple&lt;script&gt;alert('foo');&lt;/script&gt;" icon="pi pi-apple" styleClass="p-mr-2"/>

Expected behavior
The value should be escaped properly with EscapeUtils.forHtml or ResponseWriter.writeText

@cnsgithub cnsgithub added the 🐞 defect Bug...Something isn't working label Mar 8, 2022
@melloware
Copy link
Member

I agree with you these were written offline and just committed without a chance for much peer review by the community. I will fix all these.

@melloware melloware added 🔒 security Security related issue or enhancement and removed 🐞 defect Bug...Something isn't working labels Mar 8, 2022
@melloware melloware added this to the 12.0.0 milestone Mar 8, 2022
@melloware melloware self-assigned this Mar 8, 2022
melloware added a commit to melloware/primefaces that referenced this issue Mar 8, 2022
@melloware melloware linked a pull request Mar 8, 2022 that will close this issue
@fcorneli
Copy link
Contributor

fcorneli commented Mar 9, 2022

Now that these XSS are "out in the open", could these fixed be back ported to 11 please?

@tandraschko
Copy link
Member

thats up to PrimeTek (cc @mertsincan), thats all we can do
however, you can let it port via PrimeFaces PRO

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
10.0.17 11.0.3 🔒 security Security related issue or enhancement
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants