Details
-
Type:
Bug
-
Status:
Resolved
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: web-3.4.3
-
Fix Version/s: web-3.5
-
Component/s: Web Selenium
-
Labels:None
-
Number of attachments :
Description
the status display in org.jbehave.web.selenium.LocalFrameContextView is constructing a html string for the current step by concatenating the strings with html tags, this will not work if the step itself contains html tags or javascript fragments.
This doesn't cause any real issues but it makes the current step fail, in essence this is an injection error (if this were in a web application, this would be sufficient for a xss bug).
I noticed this when writing an example xss story for my project, for now I just commented out the offending steps, I will submit a patch when I get around to on the weekend.
Activity
https://github.com/alexlehm/jbehave-web/commit/7589d8138ce1c54efe2bb5f61995e4432949e11c
JBEHAVE-654: LocalFrameContextView is succeptible to something like XSS
properly encode input parameters as html
Alexander Lehmann
added a comment - https://github.com/alexlehm/jbehave-web/commit/7589d8138ce1c54efe2bb5f61995e4432949e11c
JBEHAVE-654 : LocalFrameContextView is succeptible to something like XSS
properly encode input parameters as html Pulled patch. Thanks.
Mauro Talevi
made changes -
| Field | Original Value | New Value |
|---|---|---|
| Status | Open [ 1 ] | Resolved [ 5 ] |
| Fix Version/s | web-3.5 [ 17722 ] | |
| Resolution | Fixed [ 1 ] |
instead of updating the status window, an exception shows up:
Exception in thread "AWT-EventQueue-0" java.lang.ClassCastException: javax.swing.JLabel cannot be cast to javax.swing.text.JTextComponent