[
https://issues.apache.org/jira/browse/CMIS-938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14709126#comment-14709126
]
Florian Müller commented on CMIS-938:
-------------------------------------
The whole InMemory repository is for testing and demo purposes only.
See:
https://chemistry.apache.org/java/developing/repositories/dev-repositories-inmemory.html
> Cross-Site Scripting: Reflected Vulnerability in index.jsp
> ----------------------------------------------------------
>
> Key: CMIS-938
> URL: https://issues.apache.org/jira/browse/CMIS-938
> Project: Chemistry
> Issue Type: Bug
> Components: opencmis-client
> Affects Versions: OpenCMIS 0.13.0
> Reporter: Donald Kwakkel
>
> The method _jspService() in index.jsp sends unvalidated data to a web browser
> on line 131, which can result in the browser executing malicious code.
> Explanation:
> Cross-site scripting (XSS) vulnerabilities occur when:
> 1. Data enters a web application through an untrusted source. In the case of
> Reflected XSS, the untrusted source is typically a web request, while in the
> case of Persisted (also known as Stored) XSS it is typically a database or
> other back-end datastore.
> In this case the data enters at getHeader() in
> ProxyHttpServletRequestWrapper.java at line 41.
> 2. The data is included in dynamic content that is sent to a web user without
> being validated.
> In this case the data is sent at println() in index.jsp at line 131.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
