Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Contributory XSS: Possibility to inject HTML/javascript in system error messages #1783

vaadin-bot opened this Issue Sep 27, 2011 · 2 comments


None yet
1 participant

vaadin-bot commented Sep 27, 2011

Originally by @hesara

It is possible to inject HTML through exception stack messages and stack traces displayed in system error messages. The developer of an application is likely not to take this into account and may inadvertently introduce XSS vulnerabilities in applications through this mechanism.

Another path to exploit this is to convince the end user to paste text that will fail field validation and injects HTML/javascript.

This vulnerability was discovered by Wouter Coekaerts (http://wouter.coekaerts.be).

Imported from https://dev.vaadin.com/ issue #7671


vaadin-bot commented Sep 27, 2011

Originally by @hesara

Reviewed by Leif.

@vaadin-bot vaadin-bot closed this Sep 27, 2011


vaadin-bot commented Sep 28, 2011

Originally by @hesara

It should be noted that the UserError class now provides separate text and HTML modes for messages. Previously, the text mode permitted HTML even though the documentation specified that the message should be plain text only.

Applications relying on the previous functionality should change to use the CONTENT_XHTML mode instead of the default CONTENT_TEXT mode.

Furthermore, subclasses of InvalidValueException can override getHtmlMessage() to bypass the default escaping of messages.

@vaadin-bot vaadin-bot added the bug label Dec 9, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment