tracker issue : CF-4126661

select a category, or use search below
(searches all categories and all time range)
Title:

OWASP Encoder Functions not XSS Safe in all contexts, eg encodeForHTML in JS

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/Duplicate

Reporter/Name(from Bugbase): Peter Freitag / Peter Freitag (Peter Freitag)

Created: 03/09/2016

Components: Security Analyzer

Versions: 2016

Failure Type: Unspecified

Found In Build/Fixed In Build: Alpha_v31 /

Priority/Frequency: Trivial / Unknown

Locale/System: English / Mac All

Vote Count: 0

Duplicate ID:	CF-4026100

Problem Description: The encodeForHTML function is designed to be used in the body of a HTML tag only, not in a HTML attribute, not in CSS and not in JavaScript. The security analyzer thinks that encodeForHTML is safe inside of a script tag.

Steps to Reproduce: Run security analyzer on attached file.

Actual Result: No issues found.

Expected Result: Should warn about encodeForHTML inside JS

Any Workarounds: none

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4126661

External Customer Info:
External Company: Foundeo Inc.
External Customer Name: Peter Freitag
External Customer Email: PETE@FOUNDEO.COM
External Test Config:  


Bug File Paths:
\\sjshare.corp.adobe.com\Prereleasebugfiles\ColdFusion Builder\3.1\Alpha_v31\4026607\encodeforhtml-in-script.cfm

Attachments:

Comments:

Adding BUG AUDIT TRAIL ********action: updated fieldName: Reason newValue: Duplicate oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 06:15:17.0 action: updated fieldName: Closed By newValue: preethi oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 06:15:17.0 action: updated fieldName: Owner newValue: Blank oldValue: preethi oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 06:15:17.0 action: updated fieldName: Status newValue: Withdrawn oldValue: Unverified oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 06:15:17.0 action: updated fieldName: Duplicate Bug ID newValue: CF-4026100 oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 06:15:17.0 action: updated fieldName: State newValue: Closed oldValue: Open oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 06:15:17.0 action: updated fieldName: Date Closed newValue: 2015-07-29 23:15:17.0 oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 06:15:17.0 action: updated fieldName: Owner newValue: preethi oldValue: prk oprid: prk recordName: RQ_DEFECT timpestamp: 2015-07-28 05:37:36.0 action: updated fieldName: Fix By Product Milestone newValue: Blank oldValue: Blank oprid: prk recordName: RQ_DEFECT timpestamp: 2015-07-28 05:37:36.0 action: updated fieldName: Dev Assigned newValue: uogra oldValue: bukkittu oprid: prk recordName: RQ_DEFECT timpestamp: 2015-07-28 05:37:36.0 action: updated fieldName: Product newValue: ColdFusion oldValue: ColdFusion Builder oprid: prk recordName: RQ_DEFECT timpestamp: 2015-07-28 05:37:36.0 action: updated fieldName: Version newValue: 12.0 oldValue: 3.1 oprid: prk recordName: RQ_DEFECT timpestamp: 2015-07-28 05:37:36.0 action: updated fieldName: QE Assigned newValue: preethi oldValue: prk oprid: prk recordName: RQ_DEFECT timpestamp: 2015-07-28 05:37:36.0
Comment by CFwatson U.
3570 | March 09, 2016 04:28:53 AM GMT
Added By:preethi Note Added: Hi Peter, The above scenario has already been logged as a bug. Hence closing the bug. Thanks! Date Added :2015-07-30 06:15:19.0 Added By: PreRelease User User Name:Peter Freitag Note Added: Entered Bug. Date Added :2015-07-27 18:54:02.0
Comment by CFwatson U.
3571 | March 09, 2016 04:28:55 AM GMT
Duplicate ID CF-4026100 isn't viewable/trackable. It should be. Thanks!, -Aaron
Comment by External U.
3572 | May 11, 2016 02:16:52 AM GMT
Hi Adobe, Please change Duplicate ID from CF-4026100 to CF-4126670 so that bugbase.adobe.com users can click to see the original. PR:CF-4026607|Public:CF-4126661 is duplicate of PR:CF-4026100|Public:CF-4126670 Thanks!, -Aaron
Comment by External U.
3573 | May 28, 2016 02:03:57 PM GMT