Hide Forgot
project_key: JBEPP this issue has two subdivisions: 1. basic page add - login - click on dashboard, to the "on page editor" click on the "plus" button to add new page and set "<script>alert('hi');</script>" as its name - the javascript is now invoked 2. advanced page add - login, go to dashboard - click dashboard editor -> add new page - put "whatever" to node name and "<script>alert('hi');</script>" as node description - click next, next - the javascript is invoked
Security: Removed: Public Added: RHT+eXo
Tentatively set for 5.1.0 CR01
Javascript is invoked but not stored (It says just after that the title is invalid) so I don't know if it's really a security issue
Similar behavior
Link: Added: This issue is related to JBEPP-847
Link: Added: This issue is related to GTNPORTAL-1858
Release Notes Docs Status: Removed: Not Required Added: Documented as Known Issue Release Notes Text: Added: XSS issue in dashboard new page creation
Release Notes Docs Status: Removed: Documented as Known Issue Added: Documented as Resolved Issue Release Notes Text: Removed: XSS issue in dashboard new page creation Added: XSS issue in dashboard new page creation has been fixed so that the javascript isn't invoked anymore
Release Notes Text: Removed: XSS issue in dashboard new page creation has been fixed so that the javascript isn't invoked anymore Added: A cross-site scripting (XSS) vulnerability allowed javascript snippets to be executed when creating a new page through the Portal Dashboard. Groovy encoding methods have been added to the code to prevent this and javascript is no longer invoked.
Release Notes Docs Status: Removed: Documented as Resolved Issue Added: Needs More Info Release Notes Text: Removed: A cross-site scripting (XSS) vulnerability allowed javascript snippets to be executed when creating a new page through the Portal Dashboard. Groovy encoding methods have been added to the code to prevent this and javascript is no longer invoked. Added: Cause: NEEDINFO What allowed the javascript to be executed? Or what what missing that would have prevented it? Consequence: This allowed javascript snippets to be executed when creating a new page through the Portal Dashboard. Fix: Groovy encoding methods have been added to the code to prevent this (NEEDINFO Is this correct? What was added/removed that stops javascript?) Result: Javascript is no longer invoked when entered into page fields.
Release Notes Text: Removed: Cause: NEEDINFO What allowed the javascript to be executed? Or what what missing that would have prevented it? Consequence: This allowed javascript snippets to be executed when creating a new page through the Portal Dashboard. Fix: Groovy encoding methods have been added to the code to prevent this (NEEDINFO Is this correct? What was added/removed that stops javascript?) Result: Javascript is no longer invoked when entered into page fields. Added: Cause: Name of a dashboard page entered by user was not properly encoded before being returned on the web browser. Consequence: This allowed javascript snippets to be executed when creating a new page through the Portal Dashboard. Fix: The name of the page is now properly HTML encoded before being returned. Result: Javascript is no longer invoked when entered into page fields.
Release Notes Docs Status: Removed: Needs More Info Added: Not Yet Documented
Release Notes Docs Status: Removed: Not Yet Documented Added: Documented as Resolved Issue
Link: Added: This issue relates to JBEPP-915
Release Notes Text: Removed: Cause: Name of a dashboard page entered by user was not properly encoded before being returned on the web browser. Consequence: This allowed javascript snippets to be executed when creating a new page through the Portal Dashboard. Fix: The name of the page is now properly HTML encoded before being returned. Result: Javascript is no longer invoked when entered into page fields. Added: The name of a dashboard page entered by user was not properly encoded before being returned on the web browser. This allowed javascript snippets to be executed when creating a new page through the Portal Dashboard. The name of the page is now properly HTML encoded before being returned and javascript is no longer invoked when entered into page fields.
Security: Removed: RHT+eXo Added: Public