Hi
With François and Nourredine, we have just checked the Tapestry 5.2.4
datefield.js.
A part of our patch was not included into the new javascript file. We still
have an vulnerability in the
sendServerRequest method. We can inject some JavaScript code for example,
using the Paros software.
B
https://issues.apache.org/jira/browse/TAP5-1057
Please file an issue in JIRA; a patch is most welcome!
2010/3/17 françois facon :
> Hello
>
> The calendar component provided in tapestry 5.1.0.5 could be used to allow
> code injection by malicious web users into any page that uses datefield .
>
> To reproduce the vulnerability, put js code like
