Comments on: fixing JForum XSS error in PM module with quotes https://www.selikoff.net/2014/05/24/fixing-jforum-xss-error-in-pm-module-with-quotes/ Java/J2EE Software Development and Technology Discussion Blog Sun, 28 Sep 2014 14:13:20 +0000 hourly 1 https://wordpress.org/?v=7.0 By: fixing clickjacking and brute force login for jforum | Down Home Country Coding With Scott Selikoff and Jeanne Boyarsky https://www.selikoff.net/2014/05/24/fixing-jforum-xss-error-in-pm-module-with-quotes/comment-page-1/#comment-126518 Sun, 28 Sep 2014 14:13:20 +0000 http://www.selikoff.net/?p=5210#comment-126518 […] blogging about some of the security fixes we’ve made in the CodeRanch fork of JForum such as XSS with quotes and CSRF. Today it is time to write about Clickjacking and preventing brute force […]

]]> By: Jeanne Boyarsky https://www.selikoff.net/2014/05/24/fixing-jforum-xss-error-in-pm-module-with-quotes/comment-page-1/#comment-100917 Sun, 07 Sep 2014 23:58:51 +0000 http://www.selikoff.net/?p=5210#comment-100917 In reply to Dan.

Dan,
Approach #1 does escape properly. (It’s escaping all HTML, not just the quotes.) The problem is that we need to render HTML code so it doesn’t display quotes/bold/etc properly.

For approach #2, you need to change the Java code.

]]> By: Dan https://www.selikoff.net/2014/05/24/fixing-jforum-xss-error-in-pm-module-with-quotes/comment-page-1/#comment-95649 Fri, 05 Sep 2014 01:58:01 +0000 http://www.selikoff.net/?p=5210#comment-95649 Hi Jeanne, just wondering the easy fix really fix the problem?

I tested on my own with the double quote fix; if the injection use ” instead of ‘, we still can get the xss.

just wondering “The system doesn’t escape single quotes” – does it escape double quote?

Also I am not clear of how do you approach the #2; shall we change the java code? or the Freemarker templates?

Regards,

Dan

]]>