Please file an issue in JIRA; a patch is most welcome!
2010/3/17 françois facon <fra.fa...@gmail.com>:
> Hello
>
> The calendar component provided in tapestry 5.1.0.5 could be used to allow
> code injection by malicious web users into any page that uses datefield .
>
> To reproduce the vulnerability, put js code like <script>alert("T5 is
> great"); </script> in any datefield and click on the related calendar bitma
>
> After quick search in the DateField.js, it seems like the field value is not
> escaping
>
> triggerClicked : function()
> {
> if (this.field.disabled) return;
>
> if (this.popup == null)
> {
> this.createPopup();
>
> }
> else
> {
> if (this.popup.visible())
> {
> this.hidePopup();
> return;
> }
> }
>
>
> var value = $F(this.field);
>
>
> if (value == "")
> {
> this.datePicker.setDate(null);
> this.positionPopup();
> this.revealPopup();
> return;
> }
>
> var resultHandler = function(result)
> {
> var date = new Date();
> date.setTime(result);
> this.datePicker.setDate(date);
> this.positionPopup();
> this.revealPopup();
> };
>
> var errorHandler = function(message)
> {
> this.field.showValidationMessage(message);
> this.field.activate();
> };
>
> this.sendServerRequest(this.parseURL, value, resultHandler,
> errorHandler);
> },
>
>
> escaping the field value seems solve this vulnerability var value =
> escape($F(this.field));
>
> Do i have to create a Jira for this issues?
>
> In order to deliver a patch we are currently using a decorator for
> assetSource in order to provide another version of datefIeld.js.
> Is there a better way to fix this issue?
>
>
> Best Regards
> François & Nourredine
>
--
Howard M. Lewis Ship
Creator of Apache Tapestry
The source for Tapestry training, mentoring and support. Contact me to
learn how I can get you up and productive in Tapestry fast!
(971) 678-5210
http://howardlewisship.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
