continuum-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marica Tan <marica....@gmail.com>
Subject Re: svn commit: r1091669 [1/2] - in /continuum/trunk/continuum-webapp/src/main/webapp/WEB-INF/jsp: ./ admin/ components/ navigations/
Date Wed, 13 Apr 2011 22:44:42 GMT
On Wed, Apr 13, 2011 at 3:14 PM, Brett Porter <brett@apache.org> wrote:

>
>
> On 13/04/2011, at 4:36 PM, ctan@apache.org wrote:
>
> > Author: ctan
> > Date: Wed Apr 13 06:36:20 2011
> > New Revision: 1091669
> >
> > URL: http://svn.apache.org/viewvc?rev=1091669&view=rev
> > Log:
> > [CONTINUUM-2620] use c:out and fn:escapeXml to prevent XSS attacks
>
> It's good to be cautious in this area, but most of the c:out's are
> overprotective (e.g. things that are generated by the app). I'd like to make
> sure we catch these things where they are invalid on the way in, rather than
> just on the page.
>
> Will still be adding/modifying validations in the action classes.


> I'm not sure the fn:escapeXml is useful. On the redback tags, there's no
> XSS risk as it never gets onto the page. For the following, it might not be
> sufficient:
>
> <a style="border: 1px solid #DFDEDE; padding-left: 1em; padding-right: 1em;
> text-decoration: none;" href="${fn:escapeXml(projectGroupMembersUrl)}"
>
> What happens if the url contains this?
>
> " onerror="javascript:alert('gotcha')
>
> I think as long as those URLs are properly validated where they are created
> they should be fine without the fn.
>
>
Ok noted.


Thanks,
--
Marica


> - Brett
>
> --
> Brett Porter
> brett@apache.org
> http://brettporter.wordpress.com/
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message