Cross Site Scripting vulnerability when using Smart Refresh

Flash (Alert)


Abstract

This flash describes a scenario that can cause cross site scripting issues when using smart refresh.

Content

When using Smart Refresh with input values containing a <script> tag. IBM WebSphere Experience Factory V7.0 has code that protects against the execution of the script when displaying text, but the Dojo code that adds content to a page used by Smart Refresh can pull all the <script> tags out from anywhere in the content and execute it.
Best Practice:
In order to protect against the potential of cross site scripting, applications should always be developed with validation for all input form values. Validation should reject values containing special characters such as < and > to prevent these values from flowing into the application.

Fix available:
As a fail-safe measure, code updates have been released as test fixes for V7.0.0.x and for 7.0.1.x that automatically encode < and > to prevent Dojo from identifying form inputs as scripts. Customers can apply the appropriate test fix, but the recommended approach is to have models explicitly validate all form inputs rather than relying upon the fail-safe. By properly coding the content, the problem can be avoided.

Related information

WEF 7.0.1.2 LO65985
WPF 7.0.0.2 LO65984

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Web Experience Factory

Software version:

7.0, 7.0.1

Operating system(s):

Windows

Software edition:

Deployment, Designer

Reference #:

1575083

Modified date:

2012-11-07

Translate my page

Machine Translation

Content navigation