Shiro Plugin

XSS vulnerability in principal tag

Details

  • Type: Improvement Improvement
  • Status: Resolved Resolved
  • Priority: Minor Minor
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: 1.1
  • Component/s: None
  • Labels:
    None
  • Environment:
    All

Description

The principal tag in the JSecurity plugin isn't HTML encoded and therefore vulnerable to XSS attacks.

A fix would be to call encodeAsHTML on the result in the JsecTagLib

Originally reported to mailing list: http://markmail.org/message/gmsknbpu7xzz65vg

Activity

There are no comments yet on this issue.

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.1#660-r161644) | Report a problem
Powered by a free Atlassian JIRA open source license for Grails project. Try JIRA - bug tracking software for your team.