Uploaded image for project: 'Tapestry 5'
  1. Tapestry 5
  2. TAP5-2685

XSS reflection in AssetDispatcher 404 response

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Not A Bug
    • 5.7.2
    • None
    • tapestry-core
    • None

    Description

      If you try and go to an invalid asset URL and put a <script> tag in the URL, the AssetDispatcher sends a 404 error response with the raw path as the error message.  This causes the script to be executed when the browser displays the 404 page.

      An example URI path would be:

      * /assets/e050db57533420555849da94aa7e042981598b81/publicke4p0<script>alert('Reflected-XSS')</script>r3974/combined.js

      The raw incoming path should be HTML escaped before sending it as the body of the error response.

      Attachments

        Activity

          People

            Unassigned Unassigned
            aylwyne Joshua Hodge
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: