Download
Getting Started
Members
Projects
Community
Marketplace
Events
Planet Eclipse
Newsletter
Videos
Participate
Report a Bug
Forums
Mailing Lists
Wiki
IRC
How to Contribute
Working Groups
Automotive
Internet of Things
LocationTech
Long-Term Support
PolarSys
Science
OpenMDM
More
Community
Marketplace
Events
Planet Eclipse
Newsletter
Videos
Participate
Report a Bug
Forums
Mailing Lists
Wiki
IRC
How to Contribute
Working Groups
Automotive
Internet of Things
LocationTech
Long-Term Support
PolarSys
Science
OpenMDM
Toggle navigation
Bugzilla – Attachment 93307 Details for
Bug 223363
[Webapp][Security] Cross site scripting vulnerabilities in confirm.jsp and deferredView.jsp
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
Terms of Use
|
Copyright Agent
Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read
this important communication.
[patch]
Patch
patch223363.txt (text/plain), 1.87 KB, created by
Chris Goldthorpe
on 2008-03-24 15:05:42 EDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Chris Goldthorpe
Created:
2008-03-24 15:05:42 EDT
Size:
1.87 KB
patch
obsolete
>### Eclipse Workspace Patch 1.0 >#P org.eclipse.help.webapp >Index: advanced/confirm.jsp >=================================================================== >RCS file: /cvsroot/eclipse/org.eclipse.help.webapp/advanced/confirm.jsp,v >retrieving revision 1.15 >diff -u -r1.15 confirm.jsp >--- advanced/confirm.jsp 9 Feb 2006 20:26:58 -0000 1.15 >+++ advanced/confirm.jsp 24 Mar 2008 18:58:23 -0000 >@@ -75,7 +75,7 @@ > %> > sizeButtons(); > <%}%> >- document.getElementById("<%=request.getParameter("initialFocus")%>").focus(); >+ document.getElementById("<%=UrlUtil.JavaScriptEncode(request.getParameter("initialFocus"))%>").focus(); > } > > function sizeButtons() { >@@ -93,10 +93,10 @@ > try{ > <% if ("true".equalsIgnoreCase(request.getParameter("dontaskagain")) ){ %> > if(document.getElementById("dontask").checked){ >- window.opener.<%=request.getParameter("dontaskagainCallback")%>; >+ window.opener.<%=UrlUtil.JavaScriptEncode(request.getParameter("dontaskagainCallback"))%>; > } > <% } %> >- window.opener.<%=request.getParameter("confirmCallback")%>; >+ window.opener.<%=UrlUtil.JavaScriptEncode(request.getParameter("confirmCallback"))%>; > } catch(e) {} > window.close(); > return false; >Index: advanced/deferredView.jsp >=================================================================== >RCS file: /cvsroot/eclipse/org.eclipse.help.webapp/advanced/deferredView.jsp,v >retrieving revision 1.1 >diff -u -r1.1 deferredView.jsp >--- advanced/deferredView.jsp 26 Sep 2006 14:28:23 -0000 1.1 >+++ advanced/deferredView.jsp 24 Mar 2008 18:58:23 -0000 >@@ -21,8 +21,8 @@ > <title><%=ServletResources.getString("Loading", request)%></title> > > <script language="JavaScript"> >- function onloadHandler() { >- location.href="<%=request.getParameter("href")%>"; >+ function onloadHandler() { >+ location.href="<%=UrlUtil.JavaScriptEncode(request.getParameter("href"))%>"; > } > </script> >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=93307">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 223363
:
93307
