You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
First of all: It had been a long time since I was active and contributed some things like OWASP encoder to achieve better XSS mitigation. Now I'm a bit disappointed, the OWASP encoder is still in place, but it's not used consistently in new components. This issue describes the third XSS vulnerability I've identified in just a few minutes. :-(
Describe the defect
The attribute label of p:chip is subject to XSS.
Environment:
PF Version: 12.0.0
To Reproduce
Steps to reproduce the behavior:
Set the label of p:chip like this (e.g. in chip.xhtml of showcase)
First of all: It had been a long time since I was active and contributed some things like OWASP encoder to achieve better XSS mitigation. Now I'm a bit disappointed, the OWASP encoder is still in place, but it's not used consistently in new components. This issue describes the third XSS vulnerability I've identified in just a few minutes. :-(
Describe the defect
The attribute
labelofp:chipis subject to XSS.Environment:
To Reproduce
Steps to reproduce the behavior:
Set the label of
p:chiplike this (e.g. in chip.xhtml of showcase)<p:chip label="Apple<script>alert('foo');</script>" icon="pi pi-apple" styleClass="p-mr-2"/>Expected behavior
The value should be escaped properly with
EscapeUtils.forHtmlorResponseWriter.writeTextThe text was updated successfully, but these errors were encountered: