APAR status |
Closed as documentation error.
| Error description
This is a doc apar to request docuemnt for new function.
Since WAS 3.5.4, new function
ResponseUtils#encodeDataString(String) was implemented. Local fixProblem summary
The following needs to be added due to security efix PQ47386 for
versions 302 and 35. This documentation change was already
included in ASV40.
A Web site may inadvertently include malicious HTML tags or
scripts in a dynamically generated page based on unvalidated
input from untrustworthy sources. By accessing a malicious URL
and then accessing an application server,
a user may unknowingly execute script code on his machine that
has full access to the data and resources on that machine. The
browser executes the script on the user machine without the
knowledge of the user.
The malicious tags that can be embedded in this way are <SCRIPT>
and </SCRIPT>.
This problem can be prevented if the server generated pages are
encoded to prevent the scripts from executing. Developers
generating responses containing client data, based on servlet or
JSP requests, can encode the response
data using the following static method:
com.ibm.websphere.servlet.response.ResponseUtils.encodeDataStrin
(String)
Visit the Cert advisories Web site for more information.
The cert advisory link above is:data using the following static method:com.ibm.websphere.servlet.response.ResponseUtils.encodeDataStrin(String)Visit the Cert advisories Web site for more information.
http://www.cert.org/advisories/CA-2000-02.html The cert advisory link above is:http://www.cert.org/advisories/CA-2000-02.html Problem conclusion
This risk is noted in the V3.5.x and future releas docs. For
V3.5.,x, it will be publicly
available when we refresh the InfoCenter for V3.5.5.
Article 4.2.1.2.3b was updated with this Cert advisory. The v3.
Info Centers
will contain this information at the next refresh. Temporary fixComments
APAR information | APAR number | PQ49564 | Reported component name | WAS ADVANCED AI | Reported component ID | 5648C8400 | Reported release | 350 | Status | CLOSED DOC | PE | NoPE | HIPER | NoHIPER | Submitted date | 2001-06-13 | Closed date | 2001-06-29 | Last modified date | 2001-06-29 |
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:APAR is sysrouted FROM one or more of the following:
Modules/Macros APAR is sysrouted TO one or more of the following:Modules/Macros
Applicable component levels |
|