Exploitable XSS in sample apps

[omg!ponies]

There is an exploitable XSS in both acegi-security-sample-tutorial and acegi-security-sample-contacts-filter.

I assume that a lot of people are using the login page provided as is, just reskinning it. The problem lies in how the username is automatically re-populated after an incorrect login.

Code:

<c:if test="${not empty param.login_error}">value='<%= session.getAttribute(AuthenticationProcessingFilter.ACEGI_SECURITY_LAST_USERNAME_KEY) %>'</c:if>

Using the <%= %> tags does not escape html and therefore you could enter something like <script ... /> for a username and probably do some pretty good damage.

The solution is to use <c:out/> tags with EL instead:

Code:

<c:if test="${not empty param.login_error}">value='<c:out value="${ACEGI_SECURITY_LAST_USERNAME}"/></c:if>

...

[karldmoore]

If you think there's an issue here, you should check JIRA and add it. Obviously lots of people use these as a base so if there is a problem here, it would be good to get it sorted.