project_key: JBEPP go to WSRP producer properties page add new property with name <script>alert('a');</script>, with label whatever and with hint whatever click save - error message about non-valid name is shown log-out and log-in, go to WSRP producer properties again the property was saved, despite non-valid name
I believe this is an instance of the session eviction issue. Basically, if you log out and log back in with the same user, no data is evicted. I still agree that this should be handled better.
Link: Added: This issue depends GTNWSRP-275
Release Notes Docs Status: Added: Not Yet Documented Release Notes Text: Added: Values input in the registration properties field in the Producer configuration part of the WSRP administration portlet were not properly validated resulting in errors further down the stack (in particular at the persistence level), inconsistent user interface and possible XSS. Input is now properly validated and errors should now be caught much earlier, thus avoiding invalid values to propagate to lower levels of the WSRP service.
Fixed with upgrade to a more recent WSRP version.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Values input in the registration properties field in the Producer configuration part of the WSRP administration portlet were not properly validated. This resulted in errors further down the stack (in particular at the persistence level), an inconsistent user interface, and possible XSS vulnerabilities. Input is now properly validated and errors should now be caught much earlier, rherefore avoiding invalid values to propagate to lower levels of the WSRP service.