Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 1.8.2-EE-GA_P01, 2.0-Beta2
-
Fix Version/s: EE-1.8.2.GA_P04
-
Component/s: Framework, ICE-Components
-
Labels:None
-
Environment:All
-
Workaround Exists:Yes
-
Workaround Description:
Description
The ICEfaces output component are not escaped by default which makes them vulnerable to cross site scripting attacks. The <ice:outputText> uses the escape attribute but the other output components do not (ex: <ice:selectOneMenu/>). Doing a test in a pure JSF application reveals that the JSF framework by default filters/escapes JavaScript by default.
Activity
- All
- Comments
- History
- Activity
- Remote Attachments
- Subversion
Were commits previously made on the original JIRA? If so, which one is it?
Show
Ted Goddard
added a comment - Were commits previously made on the original JIRA? If so, which one is it?
Good question, I thought cloning it would link the old JIRA too. Here is the other JIRA: http://jira.icefaces.org/browse/ICE-5854
Show
Arran Mccullough
added a comment - Good question, I thought cloning it would link the old JIRA too. Here is the other JIRA: http://jira.icefaces.org/browse/ICE-5854
Fix backported to icefaces/trunk/icefaces.
Full regression testing is necessary since a large number of components were modified.
Show
Ted Goddard
added a comment - Fix backported to icefaces/trunk/icefaces.
Full regression testing is necessary since a large number of components were modified.
Customer has requested that the fixes made on the 2.x code base be added to the 1.8.x code.