Insecure html in build output leads to bad html rendering - could be used for malicious cross-site scripting.

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Critical Critical
  • Resolution: Duplicate
  • Affects Version/s: 1.0.3
  • Fix Version/s: None
  • Component/s: Web interface
  • Labels:
    None
  • Complexity:
    Intermediate

Description

In a custom maven2 build that calls an ant script to invoke weblogic's compiler for workshop, some warning output includes a warning about the "<textarea>" tag. Continuum does not convert < and > into lt and gt entities. Since the build output is in another textarea it is sometimes not a problem. However, some browsers render nested textareas, and the remaining build log output is contained within the inner textarea.

While this is annoying, it is dangerous. One need only alter the build script to <echo> something more malicious - say something with javascript - to cause damage.

The fix is to pre-process the output to strip it of any html tag content.

This bug should be reproducable by creating a small build.xml that echo's a <textarea> and calling it from a maven pom file.

Issue Links

duplicates

Bug - A problem which impairs or prevents the functions of the product. CONTINUUM-530 HTML encode the build output

  • Major - Major loss of function.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.

Activity

There are no comments yet on this issue.

People

  • Assignee:
    Unassigned
    Reporter:
    Christian Gruber
Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved: