[MAGNOLIA-3867] XSS vulnerability in Magnolia Inbox Created: 21/Oct/11  Updated: 13/Dec/11  Resolved: 25/Oct/11

Status: Closed
Project: Magnolia
Component/s: workflow
Affects Version/s: 4.4.5
Fix Version/s: 4.4.6

Type: Bug Priority: Blocker
Reporter: Martin Schmid Assignee: Ondrej Chytil
Resolution: Fixed Votes: 0
Labels: vulnerability, xss
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

any


Template:
Patch included:
Yes
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

We figured out that a content operator (editor) can put javascript code to the activation dialog.

The JS code will be executed on the publisher inbox.
To avoid this, change the line (in class info.magnolia.module.workflow.inbox.Inbox):

============
list.addColumn(new ListColumn("comment", msgs.get("inbox.comment"), "200", true));
============

to the following:

============
list.addColumn(new ListColumn() {

{ setName("comment"); setLabel(msgs.get("inbox.comment")); setWidth("200px"); setSeparator(true); }

@Override
public Object getValue()

{ openwfe.org.engine.workitem.StringAttribute str = (openwfe.org.engine.workitem.StringAttribute) super.getValue(); return StringEscapeUtils.escapeHtml(str.getValue().toString()); }

});
============



 Comments   
Comment by Jan Haderka [ 22/Oct/11 ]

Thanks for reporting the problem. It will be fixed as soon as possible and fix will be released with the next maintenance release.

Comment by Martin Schmid [ 24/Oct/11 ]

Hi,

the "comment" can be a String OR a StringAttribute.
Please use this fixd version of the code:

====================

list.addColumn(new ListColumn() {

{ setName("comment"); setLabel(msgs.get("inbox.comment")); setWidth("200px"); setSeparator(true); }

@Override
public Object getValue() {
if (super.getValue() instanceof String)

{ String string = (String) super.getValue(); return StringEscapeUtils.escapeHtml(string); }

else

{ openwfe.org.engine.workitem.StringAttribute stringAttribute = (openwfe.org.engine.workitem.StringAttribute) super.getValue(); stringAttribute.setValue(StringEscapeUtils.escapeHtml(stringAttribute.getValue().toString())); return stringAttribute; }

}

});

====================

Generated at Mon Feb 12 03:50:26 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.