AnsweredAssumed Answered

Found JavaScript Injection in URL

Question asked by clarityeur on Sep 15, 2013
Latest reply on Sep 15, 2013 by clarityeur
Hello,

Clarity 13.2 / Oracle / ON-DEMAND / Production environment

I'm seeing a continuous message error (APP-CA.log) with the following detail:

ERROR 2013-09-11 16:22:09,101 [http-bio-14001-exec-219] web.WebActionController (clarity:admin:6943186__36BB0772-D458-461B-B814-A663E9EA52FF:bpm.validateCustomActionScriptReturn) Found JavaScript : ((\\<|%3C|%3c)(\w)) in URL : action=bpm.validateCustomActionScriptReturn&action_description=%C3%A9cnto&action_code=action_ci&uitk.navigation.last.workspace.action=bpm.saveCustomActionScriptReturn&return_action=bpm.stepProperties&superSecretTokenKey=superSecretTokenValue&validate=true&object_type=admin&validate_script=true&process_version_id=5005024&custom_action_script_text=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%0D%0A%3Cgel%3Ascript+xmlns%3Agel%3D%22jelly%3Acom.niku.union.gel.GELTagLibrary%22%0D%0A++++++++++++xmlns%3Asql%3D%22jelly%3Asql%22%3E++++++%0D%0A%3Cgel%3AsetDataSource+dbId%3D%22niku%22+var%3D%22datasource%22%2F%3E%0D%0A%3Csql%3Aupdate+dataSource%3D%22%24%7Bdatasource%7D%22%3E%0D%0A%0D%0Aupdate+odf_ca_project%0D%0Aset++++ae_kot+%3D+case+when+ae_kot+is+null+then+sysdate+else+ae_kot+end%0D%0Awhere++id++%3D+%24%7Bgel_objectInstanceId%7D%0D%0A%0D%0A%3C%2Fsql%3Aupdate%3E%0D%0A%3C%2Fgel%3Ascript%3E&action_name=%C3%A9cnto&ui.page.space=bpm.processDefinitions&step_id=5007091&step_action_id=5006074&ui.page.template=union.adminPage&uitk.navigation.parent.location=Workspace&completion_option=1


ERROR 2013-09-11 16:22:09,102 [http-bio-14001-exec-219] web.WebActionController (clarity:admin:6943186__36BB0772-D458-461B-B814-A663E9EA52FF:bpm.validateCustomActionScriptReturn)
com.niku.union.web.WebException: Found JavaScript Injection in URL

I wonder if this is a known issue?

Thank you

Outcomes