ICEfaces
  1. ICEfaces
  2. ICE-9814

Prevent mangling of ice.view parameter

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.8.2
    • Fix Version/s: 1.8.2-EE-GA_P01
    • Component/s: Framework
    • Labels:
      None
    • Environment:
      jsf 2
    • Assignee Priority:
      P3
    • Salesforce Case Reference:

      Description

      Prevent examples of Post request captured showing javascript code appended to ice.view parameter value...

      POST /alldata/block/send-receive-updates HTTP/1.1
      Accept: */*
      Content-Type: application/x-www-form-urlencoded; charset=UTF-8
      Referer: https://<domain>/alldata/admintool/usermgmt/approval_page.iface
      Accept-Language: en-us
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
      Connection: Keep-Alive
      Cache-Control: no-cache
      Cookie: ice.sessions=nNwNKitUxBaygTIsM2eaWw#1; updates; ice.lease=1391164323939; bconn
      Content-Length: 591
      ...
      .event.ctrl=false&ice.event.shift=false&ice.event.meta=undefined&ice.event.x=NaN&ice.event.y=108&i
      ce.event.left=false&ice.event.right=false&j_id248=j_id248&icefacesCssUpdates=&j_id248%3Aj_id249=b1
      d54685-10a7-4d52-b65a-f21a55da2332&j_id248%3A_idcl=j_id248%3Aj_id271&ice.session=nNwNKitUxBaygTIsM
      2eaWw& ice.view=2"/><abc%20xmlns:xyz='http://www.w3.org/1999/xhtml&#39;&gt;&lt;xyz:body%20onload=&#39;alert(224)
      '/></abc> &ice.focus=undefined&rand=0.37487139366567135
      ...
      ><xyz:body%20onload='alert(224)'/></abc> &ice.focus=undefined&rand=0.37487139366567135

      HTTP/1.1 200 OK
      Cache-Control: no-cache
      Cache-Control: no-store
      Cache-Control: must-revalidate
      Date: Fri, 31 Jan 2014 10:56:17 GMT
      Pragma: no-cache
      Content-Length: 106
      Content-Type: text/xml ; charset=UTF-8
      Expires: 0
      X-Powered-By: The Flux Capacitor
      <reload view="2"/><abc xmlns:xyz='http://www.w3.org/1999/xhtml&#39;&gt;&lt;xyz:body
      onload='alert(224)'/></abc> "/> <reload view="2"/><abc xmlns:xyz='http://www.w3.org/1999/xhtml&#39;&gt;&lt;xyz:body onload='alert(224)'/></abc> "/>

        Activity

        Judy Guglielmin created issue -
        Judy Guglielmin made changes -
        Field Original Value New Value
        Assignee Ken Fyten [ ken.fyten ]
        Judy Guglielmin made changes -
        Salesforce Case Reference 5007000000ZE9fhAAD
        Ken Fyten made changes -
        Assignee Ken Fyten [ ken.fyten ]
        Ken Fyten made changes -
        Assignee Mircea Toma [ mircea.toma ]
        Fix Version/s EE-3.3.0.GA_P02 [ 11371 ]
        Assignee Priority P3 [ 10012 ]
        Ken Fyten made changes -
        Fix Version/s EE-3.3.0.GA_P02 [ 11371 ]
        Mircea Toma made changes -
        Affects Version/s 1.8.2-EE-GA_P02 [ 10226 ]
        Affects Version/s EE-3.3.0.GA_P01 [ 11174 ]
        Mircea Toma made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Ken Fyten made changes -
        Affects Version/s 1.8.2 [ 10190 ]
        Affects Version/s 1.8.2-EE-GA_P02 [ 10226 ]
        Ken Fyten made changes -
        Fix Version/s 1.8.2-EE-GA_P01 [ 10220 ]
        Ken Fyten made changes -
        Status Resolved [ 5 ] Closed [ 6 ]

          People

          • Assignee:
            Mircea Toma
            Reporter:
            Judy Guglielmin
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: