5 Replies Latest reply on Oct 26, 2015 7:33 AM by Michal Petrov

    Need help on rich:fileUpload issue on redhat

    memain100 Newbie

      I'm using rich:fileUpload in my application on redhat when I try to upload any file containing html code in file name i.e "file<img src=xyz onerror=alert('TEST')>Name.pdf", it gives me javascript alert before uploading the file. I tried it on live demo and found the same issue there as well. How can I restrict/escape execution of html/script or XSS in file name on redhat?

       

      You can try it yourself by following steps on redhat.

       

      • Create a file with name "file<img src=xyz onerror=alert('TEST')>Name.pdf"
      • Access rich:fileUpload demo on richfaces showcase using below url.
      • Upload file and you will see a javascript alert.

       

      http://showcase.richfaces.org:8000/richfaces/component-sample.jsf?demo=fileUpload&skin=blueSky