[CMS-14944] [Backport] Ensure context-menu javascript render code does not allow user input other than numbers - Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Normal
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 13.4.15, 14.7.4, 15.0.0
Component/s: None
Labels:
None

Story Points:
0.5
Processed by team:
Nova
Sprint:
Team Nova Sprint 278

Description

The following three files contain a version of the snippet below that shows that user input is reflected in the response:

community/cms/console/frontend/src/main/java/org/hippoecm/frontend/plugins/console/browser/BrowserPlugin.java

community/cms/perspectives/src/main/java/org/hippoecm/frontend/plugins/cms/browse/tree/FolderTreePlugin.java

community/cms/api/src/main/java/org/hippoecm/frontend/plugins/standards/tabs/TabbedPanel.java

final Request request = RequestCycle.get().getRequest();
final IRequestParameters queryParameters = request.getQueryParameters();
final StringValue x = queryParameters.getParameterValue(MOUSE_X_PARAM);
final StringValue y = queryParameters.getParameterValue(MOUSE_Y_PARAM);
final String renderContextMenu = String.format("Hippo.ContextMenu.renderAtPosition('%s', %s, %s);", menu.getMarkupId(), x, y);
target.appendJavaScript(renderContextMenu);

By ensuring the value is parsed as an Int (it is supposed to be a number anyway) we prevent a malicious user from trying an XSS attack.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Arthur Bogaart

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 18/Jan/22 8:22 AM

Updated:: 25/Jan/22 10:42 AM

Resolved:: 24/Jan/22 5:05 AM