Cross-site scripting vulnerability in WMS exceptions

Description

Arbitrary bytes can be injected into the locator element in a WMS exception:

Ben Caradoc-Davies commented on [https://jira.codehaus.org/browse/GEOS-5318" title="cross-site scripting vulnerability in layer preview pages" class="issue-link" data-issue-key="GEOS-5318"><del>GEOS-5318</del>:
------------------------------------------
Jukka, which script did you test? The openlayers example above or Mats' example, which was like this?:

http://localhost:8080/geoserver/ows?SERVICE=WMS&amp;request=%22%3E%3Ca%20xmlns:a=%27http://www.w3.org/1999/xhtml%27%3E%3Ca:body%20onload=%22alert%28%27xss%27%29%22/%3E%3C/a%3E%3C - http://localhost:8080/geoserver/ows?SERVICE=WMS&amp;request=%22%3E%3Ca%20xmlns:a=%27http://www.w3.org/1999/xhtml%27%3E%3Ca:body%20onload=%22alert%28%27xss%27%29%22/%3E%3C/a%3E%3C

(Test link based on one provided by Victor Tey.)

Jukka Rahkonen commented on [https://jira.codehaus.org/browse/GEOS-5318" title="cross-site scripting vulnerability in layer preview pages" class="issue-link" data-issue-key="GEOS-5318"><del>GEOS-5318</del>:
--------------------------------------
The OpenLayers example after "Here's an example:" That shows only an OpenLayers map but the other one by Victor Tey indeed shows a text box "xss" with Firefox 31.0

Environment

None

Status

Assignee

Unassigned

Reporter

codehaus

Triage

None

Fix versions

Affects versions

Components

Priority

Medium
Configure