Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 280142

Summary: FilteredItemSelectionDialog - script injection vulnerability (firefox)
Product: [RT] RAP Reporter: Elias Volanakis <elias>
Component: JFaceAssignee: Project Inbox <rap-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: P3    
Version: 1.2   
Target Milestone: 1.2   
Hardware: PC   
OS: All   
Whiteboard:
Bug Depends on: 280166    
Bug Blocks:    
Attachments:
Description Flags
Zipped project to reproduce issue none

Description Elias Volanakis CLA 2009-06-12 16:08:41 EDT 
If a user-submitted string shown in the FilteredItemSelectionDialog list contains JS-code, this will be executed in the browser. See View.java in attached project.

This seems to be browser specific:

FF 3.0.8 - script executes
IE 8 - script does not execute
Comment 1 Elias Volanakis CLA 2009-06-12 16:09:42 EDT 
Created attachment 139072 [details]
Zipped project to reproduce issue
Comment 2 Elias Volanakis CLA 2009-06-12 16:11:07 EDT 
Would be interesting to know if there is a workaround (escaping?) that can be applied to the strings, without changing the displayed values in the list (i.e. currently escaped literals lite &quot; are not unquoted)...
Comment 3 RĂ¼diger Herrmann CLA 2009-06-13 07:05:22 EDT 
The actual source of the problem is the CLabel, see bug 280166
Comment 4 Elias Volanakis CLA 2009-06-13 14:22:42 EDT 
Also, Vasko as found a workaround that works for us. We are using ElementListSelectionDialog instead.
Comment 5 RĂ¼diger Herrmann CLA 2009-06-15 08:54:11 EDT 
Resolving this bug as fixed since the actual source of the problem is solved (bug 280166)