Mitigate XSS vulnerability in Reports version 6.3.4

It’s about the issue 140
Tell me please how can I block the vulnerability in 6.3.4 CUBA platform version? Unfortunately upgrade to 6.8-6.10 is not possible.


There is a way to mitigate this vulnerability. You will need to replace the standard window manager with a custom.

Create CustomWindowManager class in the web module that extends WebWindowManager:

public class CustomWindowManager extends WebWindowManager {
    protected String formatTabCaption(String caption, String description) {
        String s = super.formatTabDescription(caption, description);
        int maxLength = webConfig.getMainTabCaptionLength();
        if (s.length() > maxLength) {
            return s.substring(0, maxLength) + "...";
        } else {
            return s;

    protected String formatTabDescription(String caption, String description) {
        // you can also return null in order to disable tab tooltips at all
        // return null;

        // TabSheet uses HTML tooltips, so we need to escape all strings
        return StringEscapeUtils.escapeHtml(super.formatTabDescription(caption, description));

Then define it in web-spring.xml as:

    <!-- Replace standard window manager with custom -->
    <bean id="cuba_WebWindowManager"

This will prevent the incorrect interpretation of window description as HTML in the main TabSheet and mitigate the issue.

Thanks Yuriy, there’s no script execution now.
Yet I added an @Override annotation to formatTabCaption method.