Uploaded image for project: 'DSpace'
  1. DSpace
  2. DS-1702

Cross-site scripting (XSS injection) is possible in JSPUI Recent Submissions listings

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 3.0, 3.1, 3.2, 3.3, 4.0, 4.1, 4.2, 5.0
    • Fix Version/s: 3.4 , 4.3, 5.1
    • Component/s: JSPUI
    • Environment:
      N/A
    • Attachments:
      0
    • Comments:
      14
    • Documentation Status:
      Not Required

      Description

      On the collection home page in JSPUI, there is a list of recent submissions that lists the titles of few items in the collection.

      The title strings do not pass Java's addEntities method and embeded javascript/css will be evaluated by the browser.

      To fix, add "Utils.addEntities" to "dcv[0].value" in "collection-home.jsp"

        Attachments

          Activity

            People

            Assignee:
            l_a_p Luigi Andrea Pascarelli (4Science)
            Reporter:
            titusland Sean Xiao
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 1 day
                1d
                Remaining:
                Remaining Estimate - 1 day
                1d
                Logged:
                Time Spent - Not Specified
                Not Specified