233219 – Blindly executing Javascript from data set poses XSS threat

Bug 233219 - Blindly executing Javascript from data set poses XSS threat

Summary: Blindly executing Javascript from data set poses XSS threat

Status:	NEW

Alias:	None

Product:	z_Archived
Classification:	Eclipse Foundation
Component:	BIRT (show other bugs)
Version:	2.2.2
Hardware:	PC Windows XP

Importance:	P3 normal (vote)
Target Milestone:	Future
Assignee:	Birt-ReportViewer
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2008-05-21 09:47 EDT by Jeff Stricker
Modified:	2008-09-17 02:53 EDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jeff Stricker

2008-05-21 09:47:03 EDT

Build ID: BIRT runtime (2.2.0 through 2.2.2)

Steps To Reproduce:
1. Put Javascript code in a database column.
2. Write a report that uses the aforemention column.
3. Notice BIRT blindly executes this code in the web viewer.

More information:
This is probably related to https://bugs.eclipse.org/bugs/show_bug.cgi?id=125052.

An easy fix for this (at least in the short-term) would be to add a flag to enable/disable dataset-based Javascript execution at a global level.

Comment 1 Jason Weathersby

2008-05-21 10:15:58 EDT

Jeff,

If you are using a text element you may be able to prevent this by doing something like this in the expression for the text element.

<VALUE-OF format="HTML">
if( row["htmlDescription"] != null ){
    if( row["htmlDescription"].indexOf("</script>") > 0 ){
        "Cant Display Script";
    }else{
        row["htmlDescription"];
    }
}</VALUE-OF>