Cross Site Scripting vulnerability when using Smart Refresh
This flash describes a scenario that can cause cross site scripting issues when using smart refresh.
When using Smart Refresh with input values containing a <script> tag. IBM WebSphere Experience Factory V7.0 has code that protects against the execution of the script when displaying text, but the Dojo code that adds content to a page used by Smart Refresh can pull all the <script> tags out from anywhere in the content and execute it.
In order to protect against the potential of cross site scripting, applications should always be developed with validation for all input form values. Validation should reject values containing special characters such as < and > to prevent these values from flowing into the application.
As a fail-safe measure, code updates have been released as test fixes for V7.0.0.x and for 7.0.1.x that automatically encode < and > to prevent Dojo from identifying form inputs as scripts. Customers can apply the appropriate test fix, but the recommended approach is to have models explicitly validate all form inputs rather than relying upon the fail-safe. By properly coding the content, the problem can be avoided.
More support for:
IBM Web Experience Factory
Software version: 7.0, 7.0.1
Operating system(s): Windows
Software edition: Deployment, Designer
Reference #: 1575083
Modified date: 07 November 2012
Translate this page: