Cross site scripting - XSS

0

Dear Ivy team

Just recently we had a security audit which reported that our app is vulnerable to XSS attacks. The issue is that the Primeface input fields (whatever control) seem not to be escaped. By default it should be escape="true" but it seems it's escape="false" which would be really bad (for all Ivy based applications).

Any idea why this is the case ? May be an outdated jsf lib ?

Best regards John

asked 03.10.2019 at 08:33

John%20Moser's gravatar image

John Moser
(suspended)
accept rate: 0%

I can not see an 'escape' attribute on p:inputText or similar elements. To which control are you exactly referring?

(03.10.2019 at 10:05) Reguel Werme... ♦♦ Reguel%20Wermelinger's gravatar image

May be I have to ask it more generally. If I have a input field and I enter :

This is my test <script>alert(123)</script>

This text gets stored exactly as it is and if we use a JSF and/or Primefaces control to display it, we get a JS alert 123-dialog.

So what is the Ivy approach - do I have to encode it after the text got inputed or must all text get displayed escaped. I would assume this topic has already been investigated by you and there must be some rules to follow to avoid XSS.

(03.10.2019 at 10:46) John Moser John%20Moser's gravatar image
One Answer:
active answersoldestnewestmost voted
0

Hi John

Generally every jsf and primefaces component does the escapting as long as it is not activly set to false by a developer on a component.

link

answered 04.10.2019 at 05:09

SupportIvyTeam's gravatar image

SupportIvyTeam ♦♦
1.4k102118122
accept rate: 77%

I'd say that primefaces components are by default save and tested to not be vulnerable to XSS attacks. However, once the user prints data of the Html Dialog (collected via inputText elements and similar) directly on the front-end, then the developer has to ensure that is done in safe way. Especially plain El-Expressions that access data outside of a JSF widget build for it are vulnerable for the light-hearted introduced of new security issues. To make implementations save: always use 'value' attributes of primefaces components built to output users input.

(09.10.2019 at 04:17) Reguel Werme... ♦♦ Reguel%20Wermelinger's gravatar image
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×147

Asked: 03.10.2019 at 08:33

Seen: 2,501 times

Last updated: 09.10.2019 at 04:17

Related questions

Reload Process Model programmatically?

How to use own library which is already in designer

Dropdown autocomplete and ManagedBean

Issue with receiving and sending the same signal in a process

Different mechanism of loading rule between Designer and Engine

How to use ResultTable of cms

Exception when using ch.ivyteam.ivy.scripting.objects.List on Primefaces

Migrate running cases to new PMV

how to work with database in Axon Ivy 7.4.0 use Hibernate for modeling

Ivy.wf().documents() - How to update an existing document with new content?