Opened 14 months ago

Closed 11 months ago

Last modified 11 months ago

#2790 closed defect (fixed)

Potential XSS hole in AJAX viewer

Reported by: jng Owned by: jng
Priority: low Milestone: 3.1.2
Component: AJAX Viewer Version:
Severity: trivial Keywords:
Cc: External ID:

Description

From the mailing list

Hi, there may be a xss hole in quickplotpreviewinner.jsp (Ajaxviewer Java). 
to prevent change the line 96 to 
annotations.put("{scale}", "1 : " + 
EscapeForHtml(request.getParameter("scale_denominator"))); 
I did not look at php or .net. 
Regards svlad 

Change History (2)

comment:1 Changed 11 months ago by jng

Resolution: fixed
Status: assignedclosed

In 9481:

Plug potential XSS hole in Quick Plot (Java AJAX viewer). Unlike the suggested fix in the original ticket, we'll just run the request parameter through GetIntParameter?() that would render any malicious content to 0.

Fixes #2790

comment:2 Changed 11 months ago by jng

In 9482:

Merged revision(s) 9481 from branches/3.1/MgDev:
Plug potential XSS hole in Quick Plot (Java AJAX viewer). Unlike the suggested fix in the original ticket, we'll just run the request parameter through GetIntParameter?() that would render any malicious content to 0.

Fixes #2790
........

Note: See TracTickets for help on using tickets.