[
https://issues.apache.org/jira/browse/CXF-6216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15636852#comment-15636852
]
Sergey Beryozkin commented on CXF-6216:
---------------------------------------
https://issues.apache.org/jira/browse/CXF-7128 has been created to review the
possibility of using OWASP sanitizers.
The 'matrix param' attack has been fixed by removing all the matrix parameters
from the absolute URL which is built by ServletController with the help of
BaseUrlHelper. This constitutes a concrete form of sanitizing the URI.
> No output sanitizing in FormattedServiceListWriter
> ---------------------------------------------------
>
> Key: CXF-6216
> URL: https://issues.apache.org/jira/browse/CXF-6216
> Project: CXF
> Issue Type: Bug
> Components: Transports
> Affects Versions: 3.0.1
> Reporter: Donald Kwakkel
> Assignee: Sergey Beryozkin
> Priority: Critical
> Fix For: 3.2.0, 3.1.9, 3.0.12
>
>
> No output sanitizing is done, which makes the code vulnerable for injection.
> I do not have a specific use case, but it is good habit to do. Maybe you can
> use the OWASP Sanitizer:
> https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
> One example from the file:
> writer.write("<span class=\"field\">Endpoint address:</span> " +
> "<span class=\"value\">"
> + absoluteURL + "</span>");
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
