We're updating the issue view to help you get more done. 

The “alias” field on the Trust Store Import Form permits entry of JavaScript

Description

Reported by @SimonWaters:

Replication Steps:

  • Login to the Openfire Admin Console

  • Navigate to TLS/SSL Certificates

  • Select 'Manage Store Contents' under ANY of the Stores (e.g. External Component Stores)

  • Select the 'import form' link

  • Set the 'Alias' field value to:

  • Set the 'Content of Certificate file' field value to:

  • Save the new alias.

Observe, when visiting the External Compents -> Trust Store page, the javascript is executed and the dialogue is shown.

Environment

None

Acceptance Test - Entry

None

Activity

Show:
Simon Waters
December 16, 2016, 2:57 PM

The fix for this is incomplete in 4.1beta

Escaping is missing here:
/security-certificate-details.jsp
" Below are the details of the certificate with the alias (NAME) from the"

Dave Cridland
December 21, 2016, 11:45 AM

Assignee

Dave Cridland

Reporter

Tim Durden

Labels

None

Expected Effort

None

Ignite Forum URL

None

Components

Fix versions

Affects versions

Priority

Minor
Configure