JBehave
  1. JBehave
  2. JBEHAVE-654

LocalFrameContextView is succeptible to something like XSS (not a security issue though)

    Details

    • Type: Bug Bug
    • Status: Resolved Resolved
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: web-3.4.3
    • Fix Version/s: web-3.5
    • Component/s: Web Selenium
    • Labels:
      None
    • Number of attachments :
      0

      Description

      the status display in org.jbehave.web.selenium.LocalFrameContextView is constructing a html string for the current step by concatenating the strings with html tags, this will not work if the step itself contains html tags or javascript fragments.

      This doesn't cause any real issues but it makes the current step fail, in essence this is an injection error (if this were in a web application, this would be sufficient for a xss bug).

      I noticed this when writing an example xss story for my project, for now I just commented out the offending steps, I will submit a patch when I get around to on the weekend.

        Activity

        Hide
        Alexander Lehmann added a comment -

        instead of updating the status window, an exception shows up:

        Exception in thread "AWT-EventQueue-0" java.lang.ClassCastException: javax.swing.JLabel cannot be cast to javax.swing.text.JTextComponent

        Show
        Alexander Lehmann added a comment - instead of updating the status window, an exception shows up: Exception in thread "AWT-EventQueue-0" java.lang.ClassCastException: javax.swing.JLabel cannot be cast to javax.swing.text.JTextComponent
        Hide
        Alexander Lehmann added a comment -

        https://github.com/alexlehm/jbehave-web/commit/7589d8138ce1c54efe2bb5f61995e4432949e11c

        JBEHAVE-654: LocalFrameContextView is succeptible to something like XSS

        properly encode input parameters as html

        Show
        Alexander Lehmann added a comment - https://github.com/alexlehm/jbehave-web/commit/7589d8138ce1c54efe2bb5f61995e4432949e11c JBEHAVE-654 : LocalFrameContextView is succeptible to something like XSS properly encode input parameters as html
        Hide
        Mauro Talevi added a comment - - edited

        Pulled patch. Thanks.

        Show
        Mauro Talevi added a comment - - edited Pulled patch. Thanks.
        Mauro Talevi made changes -
        Field Original Value New Value
        Status Open [ 1 ] Resolved [ 5 ]
        Fix Version/s web-3.5 [ 17722 ]
        Resolution Fixed [ 1 ]

          People

          • Assignee:
            Unassigned
            Reporter:
            Alexander Lehmann
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: