Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Blocker
Fix Version/s: 4.4.6
Affects Version/s: 4.4.5
Component/s: workflow
Labels:
- vulnerability
- xss
Environment:
any

Template:
Patch included:

Yes
Acceptance criteria:

Empty

show more show less
Task DoD:

show more show less
Bug DoR:

show more show less

We figured out that a content operator (editor) can put javascript code to the activation dialog.

The JS code will be executed on the publisher inbox.
To avoid this, change the line (in class info.magnolia.module.workflow.inbox.Inbox):

============
list.addColumn(new ListColumn("comment", msgs.get("inbox.comment"), "200", true));
============

to the following:

============
list.addColumn(new ListColumn() {

{ setName("comment"); setLabel(msgs.get("inbox.comment")); setWidth("200px"); setSeparator(true); }

@Override
public Object getValue()

{ openwfe.org.engine.workitem.StringAttribute str = (openwfe.org.engine.workitem.StringAttribute) super.getValue(); return StringEscapeUtils.escapeHtml(str.getValue().toString()); }

});
============

Acceptance criteria

Assignee:: Ondrej Chytil

Reporter:: Martin Schmid

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Created:: 21/Oct/11 11:06 PM

Updated:: 13/Dec/11 10:31 AM

Resolved:: 25/Oct/11 9:46 AM

Date of First Response:: 22/Oct/11 9:01 AM

Bug DoR

Task DoD

Details

Description

Checklists

Attachments

Activity

People

Dates

Checklists