[
https://issues.apache.org/jira/browse/CXF-6216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14290845#comment-14290845
]
Donald Kwakkel commented on CXF-6216:
-------------------------------------
This link describes and gives examples how requestURL can be used for xss
attacks: https://www.superevr.com/blog/2011/three-semicolon-vulnerabilities.
For getRequestURI it is more difficult, because it is encoded. So e.g. this
attack will not work:
view-source:https://www.eigenhuis.nl/api/v2;';alert('xss1')-'
I do not know how to generate the WADL html code with requestURL (from
BaseUrlHelper.getBaseURL) as input, so not sure if this is an issue. Maybe with
the current code base it goes right. Still it seems preferable to me to
sanitize output.
> No output sanitizing in FormattedServiceListWriter
> ---------------------------------------------------
>
> Key: CXF-6216
> URL: https://issues.apache.org/jira/browse/CXF-6216
> Project: CXF
> Issue Type: Bug
> Components: Core
> Affects Versions: 3.0.1
> Reporter: Donald Kwakkel
>
> No output sanitizing is done, which makes the code vulnerable for injection.
> I do not have a specific use case, but it is good habit to do. Maybe you can
> use the OWASP Sanitizer:
> https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
> One example from the file:
> writer.write("<span class=\"field\">Endpoint address:</span> " +
> "<span class=\"value\">"
> + absoluteURL + "</span>");
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
