/

Lucee Development

/

Copy link to issue

summary

XSS in REST error handler

Description

simply calling

http://localhost:8888/rest/%3Cscript%3Ealert(1)%3C/script%3E

results in an alert()

Environment

Environment

None

Activity

Show:

Igal Sapir

November 23, 2020, 6:09 AM

Copy link to comment

Calling the URI in the description now escapes the HTML and the message returned is:

Zac Spitzer

November 23, 2020, 6:33 AM

Copy link to comment

https://github.com/lucee/Lucee/commit/8f5d5901c1d320f2fcd7e7298dec01aa17cccd67

Fixed

Assignee

Assignee

Igal Sapir

Reporter

Reporter

Zac Spitzer

Priority

Priority

New

Labels

Labels

Fix versions

Fix versions

Affects versions

Affects versions