Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Appearance settings
This repository was archived by the owner on Jan 30, 2019. It is now read-only.
This repository was archived by the owner on Jan 30, 2019. It is now read-only.

[sec] Attacker could load own helpset #36

Copy link
Copy link

Description

@glassfishrobot
Issue body actions

javax.help.tagext.ValidateTag allows to provide the url to the hsName by a reqeust parameter, if no hsName is provided in the code an attacker could provide a link to some helpSet he controls and load it into any website.
The request parameter helpset has to be validated before using it.

Reactions are currently unavailable

Metadata

Metadata

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions

Morty Proxy This is a proxified and sanitized view of the page, visit original site.