Security Research
cancel
Showing results for 
Search instead for 
Did you mean: 

Re: JSF outputText tag: the good, the bad and the ugly

alvaro_munoz

Hi Kurt,

 

No, JSF wont encode #{param.xss} within script or style blocks (this is somehow surprising and undocumented but its how it behaves how its supposed to behave regarding the JSF team).

Also, and due to CVE-2013-5855, it wont encode it if #{param.xss} is right after a closing script or style tag.

 

Thanks for your comment.

A

0 Kudos
About the Author

alvaro_munoz

Comments
Kurt Dmello

As far as I understand JSF never encodes #{param.xss} regardless of its poisition.  Isn't that true ?

alvaro_munoz

Hi Kurt,

 

No, JSF wont encode #{param.xss} within script or style blocks (this is somehow surprising and undocumented but its how it behaves how its supposed to behave regarding the JSF team).

Also, and due to CVE-2013-5855, it wont encode it if #{param.xss} is right after a closing script or style tag.

 

Thanks for your comment.

A

Craig_Doremus

Is this vulnerability exhibited by the Apache MyFaces JSF implementation too?

alvaro_munoz

Hi Craig,

 

MyFaces does not encode outputText tags within Script or Style blocks (The bad) but it does encode correcty the outputText tags right after a script or style block (The ugly)

 

Thanks for your comment.

A

Alb3rt0c

Why is indicated that this vulnerability provides no advantage to the attackers?

alvaro_munoz

Hi Alberto,

 

It is stated that this "disclosure" does not provide any advantage to the attackers since they are already testing for XSS issues. In the other side its helpful for developers that may have a false sense of security.

 

Cheers,

A

Labels
Events
June 6 - 8, 2017
Las Vegas, Nevada
Discover 2017 Las Vegas
Join us for HPE Discover 2017 in Las Vegas. The event will be held at the Venetian | Palazzo from June 6-8, 2017.
Read more
Each Month in 2017
Online
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all