Cross-Site Scripting (Reflected)

Support
#1

Hey there,

we currently had just performed penetration test for a project that will go live soon. Unfortunately, the feedback we get is “Encode data on output” where the explanation for this: “At the point where user-controllable data is output in HTTP responses, encode the output to prevent it from being interpreted as active content.
Depending on the output context, this might require applying combinations of HTML, URL, JavaScript, and CSS encoding.” and the affected instance is “https://example.com/yy/vaadinServlet/APP/UPLOAD/0/2644/uploadUrl/uuid [filename]”.

is there a way/ work a round to encode the file? or do we have to encode the file before upload to the storage?

2 Likes
#2
#3
#7

Hi,

Could you please elaborate what output of uploaded file is being interpreted as active content?

If this means the file content then Jmix doesn’t process files content. But you can do such processing on your own using TemporaryStorage. For instance, assumeing that a user upload a file that contains html markup then:

  1. Set fileStoragePutMode="MANUAL" for the upload field component.
<fileStorageUpload id="fileField"
                   property="image"
                   fileStoragePutMode="MANUAL"/>
  1. Subscribe on FileUploadSucceedEvent
  2. Obtain a temporal file
  3. Process file, save a new version to the file storage
  4. Delete original file
@Autowired
private FileStorageUploadField fileField;
@Autowired
private TemporaryStorage temporaryStorage;

@Subscribe("fileField")
public void onFileFieldFileUploadSucceed(SingleFileUploadField.FileUploadSucceedEvent event) {
    File file = temporaryStorage.getFile(fileField.getFileId()); 
    if (file != null) {
        processFile(file);
        temporaryStorage.deleteFile(fileField.getFileId());
    }
}

private void processFile(File file) {
    // process file to get sanitized content
    String sanitizedContent = ...;
    InputStream inputStream = IOUtils.toInputStream(sanitizedContent, Charset.defaultCharset());
    fileStorage.saveStream(file.getName(), inputStream);
}

Regards,
Gleb