fix(core): WW-5623 HTML-encode form action in PostbackResult to prevent XSS#1653
fix(core): WW-5623 HTML-encode form action in PostbackResult to prevent XSS#1653tranquac wants to merge 1 commit intoapache:mainfrom
Conversation
PostbackResult.doExecute() embeds finalLocation into a <form action=""> attribute via raw string concatenation without HTML encoding. A double quote in the location breaks out of the attribute, enabling reflected XSS. The response Content-Type is text/html (line 103). This is an encoding inconsistency: form field names and values at lines 218-219 ARE properly URL-encoded via URLEncoder.encode(), but the form action attribute was not encoded at all. Add encodeHtml() to escape &, ", <, > in finalLocation before embedding it in the HTML form tag, consistent with the existing encoding approach for form field values in the same class.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| PrintWriter pw = new PrintWriter(response.getOutputStream()); | ||
| pw.write("<!DOCTYPE html><html><body><form action=\"" + finalLocation + "\" method=\"POST\">"); | ||
| String safeLocation = encodeHtml(finalLocation); | ||
| pw.write("<!DOCTYPE html><html><body><form action=\"" + safeLocation + "\" method=\"POST\">"); |
| PrintWriter pw = new PrintWriter(response.getOutputStream()); | ||
| pw.write("<!DOCTYPE html><html><body><form action=\"" + finalLocation + "\" method=\"POST\">"); | ||
| String safeLocation = encodeHtml(finalLocation); | ||
| pw.write("<!DOCTYPE html><html><body><form action=\"" + safeLocation + "\" method=\"POST\">"); |
|
Could you create a JIRA ticket first? |
|
I requested a Jira account! And i will create create a JIRA ticket soon! |
|
hello @lukaszlenart I created JIRA ticket for this issue: https://issues.apache.org/jira/projects/WW/issues/WW-5623?filter=allissues |
lukaszlenart
changed the title
|
Please add a focused unit test for this change in |
|
Thanks for your feedback. I will quickly create a fullfill patch based on your comment. I will notify you when it's finished and create a new PR. |
3 participants
Summary
PostbackResult.doExecute() at line 107 embeds finalLocation into a form action attribute via raw string concatenation without HTML encoding. The response Content-Type is text/html (line 103). A double-quote character in the location breaks out of the attribute, enabling reflected XSS.
This is an encoding inconsistency: form field names and values at lines 218-219 ARE properly URL-encoded via URLEncoder.encode(), but the form action attribute was not encoded at all.
Changes
Impact
When a developer uses PostbackResult with an OGNL expression referencing a user-controllable property (a documented framework feature for dynamic routing), an attacker can inject arbitrary HTML attributes and elements via the form action attribute.
Test
A PoC application with 5 test scenarios verifies the vulnerability and fix. Browser-based testing with Playwright confirms the XSS alert fires before the fix.