-
1. Re: Need help on rich:fileUpload issue on redhat
michpetrov Oct 22, 2015 8:12 AM (in response to memain100)You can insert HTML and execute JavaScript from browser console, how is this different?
-
2. Re: Need help on rich:fileUpload issue on redhat
memain100 Oct 22, 2015 4:13 PM (in response to michpetrov)Michal I understand your point, it is similar to that but on file select/upload cannot I validate/sanitize the file name?
I tried to validate the name on events like onadd, onfileselect, onfilesubmit, onbeforedonupdate but JavaScript in file name gets executed before these events are triggered. -
3. Re: Need help on rich:fileUpload issue on redhat
michpetrov Oct 23, 2015 4:58 AM (in response to memain100)You cannot do it. Why do you need to sanitize it? The fileupload doesn't enable users to do anything they cannot already do.
-
4. Re: Need help on rich:fileUpload issue on redhat
memain100 Oct 26, 2015 2:57 AM (in response to michpetrov)My client gets code scanned from a security company, they found nothing except this and it has been reported as critical vulnerability.
-
5. Re: Need help on rich:fileUpload issue on redhat
michpetrov Oct 26, 2015 7:33 AM (in response to memain100)If it were a security vulnerability it should've been reported and not discussed on a public forum.
Again, anyone can simply open the browser console and type $("<img src='xyz' onerror='alert(\"error\")' />").appendTo("body"). This is pretty much what the component does but it's easier to execute. The file list is temporary code (you can refresh the page to get rid of it), whatever a user puts in there affects only their "session". If the concern is about the filename being unsafe you can always check it in the upload listener, changing the client-side code to escape the filename wouldn't help with that.