PQ49564: NEW FUNCTION WAS IMPLEMENTED RESPONSEUTILS#ENCODEDATASTRING(STRING)


APAR

APAR status
Closed as documentation error.

Error description
This is a doc apar to request docuemnt for new function.
Since WAS 3.5.4, new function
 ResponseUtils#encodeDataString(String) was implemented.
Local fix
Problem summary
The following needs to be added due to security efix PQ47386 for
versions 302 and 35.  This documentation change was already
included in ASV40.
A Web site may inadvertently include malicious HTML tags or
scripts in a dynamically generated page based on unvalidated
input from untrustworthy sources. By accessing a malicious URL
and then accessing an application server,
a user may unknowingly execute script code on his machine that
has full access to the data and resources on that machine. The
browser executes the script on the user machine without the
knowledge of the user.
The malicious tags that can be embedded in this way are <SCRIPT>
and </SCRIPT>.
This problem can be prevented if the server generated pages are
encoded to prevent the scripts from executing. Developers
generating responses containing client data, based on servlet or
JSP requests, can encode the response
data using the following static method:
com.ibm.websphere.servlet.response.ResponseUtils.encodeDataStrin
(String)
Visit the Cert advisories Web site for more information.
The cert advisory link above is:data using the following static method:com.ibm.websphere.servlet.response.ResponseUtils.encodeDataStrin(String)Visit the Cert advisories Web site for more information.
http://www.cert.org/advisories/CA-2000-02.html
The cert advisory link above is:http://www.cert.org/advisories/CA-2000-02.html
Problem conclusion
This risk is noted in the V3.5.x and future releas docs. For
V3.5.,x,  it will be publicly
available when we refresh the InfoCenter for V3.5.5.
Article 4.2.1.2.3b was updated with this Cert advisory.  The v3.
Info Centers
will contain this information at the next refresh.
Temporary fix
Comments
APAR information
APAR numberPQ49564
Reported component nameWAS ADVANCED AI
Reported component ID5648C8400
Reported release350
StatusCLOSED DOC
PENoPE
HIPERNoHIPER
Submitted date2001-06-13
Closed date2001-06-29
Last modified date2001-06-29

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:APAR is sysrouted FROM one or more of the following:


Modules/Macros

Fix information
APAR is sysrouted TO one or more of the following:Modules/Macros

Applicable component levels











Document Information

Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, General
Software version: 350
Reference #: PQ49564
IBM Group: Software Group
Modified date: 2001-06-29