Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#2790 closed defect (fixed)

Potential XSS hole in AJAX viewer

Reported by: jng Owned by: jng
Priority: low Milestone: 3.1.2
Component: AJAX Viewer Version:
Severity: trivial Keywords:
Cc: External ID:

Description

From the mailing list 

Hi, there may be a xss hole in quickplotpreviewinner.jsp (Ajaxviewer Java). 
to prevent change the line 96 to 
annotations.put("{scale}", "1 : " + 
EscapeForHtml(request.getParameter("scale_denominator"))); 
I did not look at php or .net. 
Regards svlad

Change History (2)

comment:1 by jng, 6 years ago

Resolution: fixed
Status: assignedclosed

In 9481:

Plug potential XSS hole in Quick Plot (Java AJAX viewer). Unlike the suggested fix in the original ticket, we'll just run the request parameter through GetIntParameter() that would render any malicious content to 0.

Fixes #2790

comment:2 by jng, 6 years ago

In 9482:

Merged revision(s) 9481 from branches/3.1/MgDev:
Plug potential XSS hole in Quick Plot (Java AJAX viewer). Unlike the suggested fix in the original ticket, we'll just run the request parameter through GetIntParameter() that would render any malicious content to 0.

Fixes #2790
........

Note: See TracTickets for help on using tickets.