Dear Ivy team

Just recently we had a security audit which reported that our app is vulnerable to XSS attacks. The issue is that the Primeface input fields (whatever control) seem not to be escaped. By default it should be escape="true" but it seems it's escape="false" which would be really bad (for all Ivy based applications).

Any idea why this is the case ? May be an outdated jsf lib ?

Best regards John

asked 03.10 at 08:33

John%20Moser's gravatar image

John Moser
513720
accept rate: 0%

I can not see an 'escape' attribute on p:inputText or similar elements. To which control are you exactly referring?

(03.10 at 10:05) Reguel Werme... ♦♦ Reguel%20Wermelinger's gravatar image

May be I have to ask it more generally. If I have a input field and I enter :

This is my test <script>alert(123)</script>

This text gets stored exactly as it is and if we use a JSF and/or Primefaces control to display it, we get a JS alert 123-dialog.

So what is the Ivy approach - do I have to encode it after the text got inputed or must all text get displayed escaped. I would assume this topic has already been investigated by you and there must be some rules to follow to avoid XSS.

(03.10 at 10:46) John Moser John%20Moser's gravatar image

Hi John

Generally every jsf and primefaces component does the escapting as long as it is not activly set to false by a developer on a component.

link

answered 04.10 at 05:09

SupportIvyTeam's gravatar image

SupportIvyTeam ♦♦
1.3k88109116
accept rate: 75%

I'd say that primefaces components are by default save and tested to not be vulnerable to XSS attacks. However, once the user prints data of the Html Dialog (collected via inputText elements and similar) directly on the front-end, then the developer has to ensure that is done in safe way. Especially plain El-Expressions that access data outside of a JSF widget build for it are vulnerable for the light-hearted introduced of new security issues. To make implementations save: always use 'value' attributes of primefaces components built to output users input.

(09.10 at 04:17) Reguel Werme... ♦♦ Reguel%20Wermelinger's gravatar image
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×121

Asked: 03.10 at 08:33

Seen: 77 times

Last updated: 09.10 at 04:17