continuum-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brett Porter <br...@apache.org>
Subject Re: svn commit: r1091669 [1/2] - in /continuum/trunk/continuum-webapp/src/main/webapp/WEB-INF/jsp: ./ admin/ components/ navigations/
Date Wed, 13 Apr 2011 07:14:17 GMT


On 13/04/2011, at 4:36 PM, ctan@apache.org wrote:

> Author: ctan
> Date: Wed Apr 13 06:36:20 2011
> New Revision: 1091669
> 
> URL: http://svn.apache.org/viewvc?rev=1091669&view=rev
> Log:
> [CONTINUUM-2620] use c:out and fn:escapeXml to prevent XSS attacks

It's good to be cautious in this area, but most of the c:out's are overprotective (e.g. things
that are generated by the app). I'd like to make sure we catch these things where they are
invalid on the way in, rather than just on the page.

I'm not sure the fn:escapeXml is useful. On the redback tags, there's no XSS risk as it never
gets onto the page. For the following, it might not be sufficient:

<a style="border: 1px solid #DFDEDE; padding-left: 1em; padding-right: 1em; text-decoration:
none;" href="${fn:escapeXml(projectGroupMembersUrl)}"

What happens if the url contains this?

" onerror="javascript:alert('gotcha')

I think as long as those URLs are properly validated where they are created they should be
fine without the fn.

- Brett

--
Brett Porter
brett@apache.org
http://brettporter.wordpress.com/


Mime
View raw message