Details
-
Type:
Improvement
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 1.8.2
-
Fix Version/s: 1.8.2-EE-GA_P01
-
Component/s: Framework
-
Labels:None
-
Environment:jsf 2
-
Assignee Priority:P3
-
Salesforce Case Reference:
Description
Prevent examples of Post request captured showing javascript code appended to ice.view parameter value...
POST /alldata/block/send-receive-updates HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://<domain>/alldata/admintool/usermgmt/approval_page.iface
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ice.sessions=nNwNKitUxBaygTIsM2eaWw#1; updates; ice.lease=1391164323939; bconn
Content-Length: 591
...
.event.ctrl=false&ice.event.shift=false&ice.event.meta=undefined&ice.event.x=NaN&ice.event.y=108&i
ce.event.left=false&ice.event.right=false&j_id248=j_id248&icefacesCssUpdates=&j_id248%3Aj_id249=b1
d54685-10a7-4d52-b65a-f21a55da2332&j_id248%3A_idcl=j_id248%3Aj_id271&ice.session=nNwNKitUxBaygTIsM
2eaWw& ice.view=2"/><abc%20xmlns:xyz='http://www.w3.org/1999/xhtml'><xyz:body%20onload='alert(224)
'/></abc> &ice.focus=undefined&rand=0.37487139366567135
...
><xyz:body%20onload='alert(224)'/></abc> &ice.focus=undefined&rand=0.37487139366567135
HTTP/1.1 200 OK
Cache-Control: no-cache
Cache-Control: no-store
Cache-Control: must-revalidate
Date: Fri, 31 Jan 2014 10:56:17 GMT
Pragma: no-cache
Content-Length: 106
Content-Type: text/xml ; charset=UTF-8
Expires: 0
X-Powered-By: The Flux Capacitor
<reload view="2"/><abc xmlns:xyz='http://www.w3.org/1999/xhtml'><xyz:body
onload='alert(224)'/></abc> "/> <reload view="2"/><abc xmlns:xyz='http://www.w3.org/1999/xhtml'><xyz:body onload='alert(224)'/></abc> "/>
POST /alldata/block/send-receive-updates HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://<domain>/alldata/admintool/usermgmt/approval_page.iface
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ice.sessions=nNwNKitUxBaygTIsM2eaWw#1; updates; ice.lease=1391164323939; bconn
Content-Length: 591
...
.event.ctrl=false&ice.event.shift=false&ice.event.meta=undefined&ice.event.x=NaN&ice.event.y=108&i
ce.event.left=false&ice.event.right=false&j_id248=j_id248&icefacesCssUpdates=&j_id248%3Aj_id249=b1
d54685-10a7-4d52-b65a-f21a55da2332&j_id248%3A_idcl=j_id248%3Aj_id271&ice.session=nNwNKitUxBaygTIsM
2eaWw& ice.view=2"/><abc%20xmlns:xyz='http://www.w3.org/1999/xhtml'><xyz:body%20onload='alert(224)
'/></abc> &ice.focus=undefined&rand=0.37487139366567135
...
><xyz:body%20onload='alert(224)'/></abc> &ice.focus=undefined&rand=0.37487139366567135
HTTP/1.1 200 OK
Cache-Control: no-cache
Cache-Control: no-store
Cache-Control: must-revalidate
Date: Fri, 31 Jan 2014 10:56:17 GMT
Pragma: no-cache
Content-Length: 106
Content-Type: text/xml ; charset=UTF-8
Expires: 0
X-Powered-By: The Flux Capacitor
<reload view="2"/><abc xmlns:xyz='http://www.w3.org/1999/xhtml'><xyz:body
onload='alert(224)'/></abc> "/> <reload view="2"/><abc xmlns:xyz='http://www.w3.org/1999/xhtml'><xyz:body onload='alert(224)'/></abc> "/>
Activity
- All
- Comments
- History
- Activity
- Remote Attachments
- Subversion
| Field | Original Value | New Value |
|---|---|---|
| Assignee | Ken Fyten [ ken.fyten ] |
| Salesforce Case Reference | 5007000000ZE9fhAAD |
| Assignee | Ken Fyten [ ken.fyten ] |
| Assignee | Mircea Toma [ mircea.toma ] | |
| Fix Version/s | EE-3.3.0.GA_P02 [ 11371 ] | |
| Assignee Priority | P3 [ 10012 ] |
| Fix Version/s | EE-3.3.0.GA_P02 [ 11371 ] |
| Affects Version/s | 1.8.2-EE-GA_P02 [ 10226 ] | |
| Affects Version/s | EE-3.3.0.GA_P01 [ 11174 ] |
| Status | Open [ 1 ] | Resolved [ 5 ] |
| Resolution | Fixed [ 1 ] |
| Affects Version/s | 1.8.2 [ 10190 ] | |
| Affects Version/s | 1.8.2-EE-GA_P02 [ 10226 ] |
| Fix Version/s | 1.8.2-EE-GA_P01 [ 10220 ] |
| Status | Resolved [ 5 ] | Closed [ 6 ] |