New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XML escaping and unescaping not properly handled #22

Open

cinlloc opened this issue May 9, 2016 · 1 comment

cinlloc commented May 9, 2016 •

edited

Loading

Problem discovered by attempting XSS injection on UploadAction:

[SERVER SIDE, UploadAction.java] When creating XML error message, XML entities are not escaped:

postResponse = "<" + TAG_ERROR + ">" + error + "</" + TAG_ERROR + ">";

[CLIENT SIDE, Uploader.java] When receiving XML error message from server, strange and uncomplete unescaping is done:

serverRawResponse = serverRawResponse.replace(TAG_MSG_LT, "<").replace(TAG_MSG_GT, ">").replace("&lt;", "<").replaceAll("&gt;", ">").replaceAll("&nbsp;", " ");

Suggestions:

There should be a proper StringEscapeUtils.escapeXml in the first place.
serverRawResponse shouldn't be unescaped, because serverRawResponse will be parsed as XML.
Text extracted from parsed serverRawResponse should be unescape only if needed (i.e. if used in a javascript popup). For example, should unescape msg here (BaseUploadStatus.java):

/* (non-Javadoc)
   * @see gwtupload.client.IUploadStatus#setError(java.lang.String)
   */
  public void setError(String msg) {
    setStatus(Status.ERROR);
    Window.alert(msg.replaceAll("\\\\n", "\\n"));
  }

stezadov mentioned this issue

Drag-and-drop upload of a file with "&" in its name fails #26

Open

csware mentioned this issue

Use proper XML #30

Merged

Contributor

csware commented Feb 14, 2021

Can be closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment