Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Not A Bug
-
5.7.2
-
None
-
None
Description
If you try and go to an invalid asset URL and put a <script> tag in the URL, the AssetDispatcher sends a 404 error response with the raw path as the error message. This causes the script to be executed when the browser displays the 404 page.
An example URI path would be:
* /assets/e050db57533420555849da94aa7e042981598b81/publicke4p0<script>alert('Reflected-XSS')</script>r3974/combined.js
The raw incoming path should be HTML escaped before sending it as the body of the error response.