Hello

The calendar component provided in tapestry 5.1.0.5 could be used to allow
code injection by malicious web users into any page that uses datefield .

To reproduce the vulnerability, put js code like <script>alert("T5 is
great"); </script> in any datefield and click on the related calendar bitma

After quick search in the DateField.js, it seems like the field value is not
escaping

triggerClicked : function()
  {
    if (this.field.disabled) return;

    if (this.popup == null)
    {
       this.createPopup();

    }
    else
    {
       if (this.popup.visible())
       {
          this.hidePopup();
          return;
       }
    }


    var value = $F(this.field);


    if (value == "")
    {
       this.datePicker.setDate(null);
       this.positionPopup();
       this.revealPopup();
       return;
    }

    var resultHandler = function(result)
    {
       var date = new Date();
       date.setTime(result);
       this.datePicker.setDate(date);
       this.positionPopup();
       this.revealPopup();
    };

    var errorHandler = function(message)
    {
       this.field.showValidationMessage(message);
       this.field.activate();
    };

    this.sendServerRequest(this.parseURL, value, resultHandler,
errorHandler);
  },


escaping the field value seems solve this vulnerability    var value =
escape($F(this.field));

Do i have to create a Jira for this issues?

In order to deliver a patch we are currently using a decorator for
assetSource in order to provide another version of datefIeld.js.
Is there a better way to fix this issue?


Best Regards
François & Nourredine