Hello
The calendar component provided in tapestry 5.1.0.5 could be used to allow
code injection by malicious web users into any page that uses datefield .
To reproduce the vulnerability, put js code like <script>alert("T5 is
great"); </script> in any datefield and click on the related calendar bitma
After quick search in the DateField.js, it seems like the field value is not
escaping
triggerClicked : function()
{
if (this.field.disabled) return;
if (this.popup == null)
{
this.createPopup();
}
else
{
if (this.popup.visible())
{
this.hidePopup();
return;
}
}
var value = $F(this.field);
if (value == "")
{
this.datePicker.setDate(null);
this.positionPopup();
this.revealPopup();
return;
}
var resultHandler = function(result)
{
var date = new Date();
date.setTime(result);
this.datePicker.setDate(date);
this.positionPopup();
this.revealPopup();
};
var errorHandler = function(message)
{
this.field.showValidationMessage(message);
this.field.activate();
};
this.sendServerRequest(this.parseURL, value, resultHandler,
errorHandler);
},
escaping the field value seems solve this vulnerability var value =
escape($F(this.field));
Do i have to create a Jira for this issues?
In order to deliver a patch we are currently using a decorator for
assetSource in order to provide another version of datefIeld.js.
Is there a better way to fix this issue?
Best Regards
François & Nourredine
