continuum-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Louis Smith <dr.louis.sm...@gmail.com>
Subject Re: Strange behavior on 1.4.2
Date Wed, 12 Aug 2015 19:59:25 GMT
the oops is deeper than I thought.  if you have a project name with
parenthesis [Our Really Cool (ORC) project] it will load; if you edit it on
screen the edit will reject the name; but the next run puts it back from
the pom update code.  Can't have the pom loader/update routine accepting
what a screen edit won't.

Whatever the character suppression rules are for the XSS concerns, the POM
loader/validator must use the same.

Dr. Louis Smith, ThD
Chief Technology Officer, Kyra Solutions, Inc.
Museum Director, Veterans Memorial Railroad

On Tue, Aug 11, 2015 at 8:35 PM, Brent Atkinson <brent.atkinson@gmail.com>
wrote:

> Hi Louis,
>
> There isn't a global fix unfortunately. It appears input for a number of
> controls was white-listed in order to prevent cross site scripting (XSS)
> vulnerabilities, as described in
> https://issues.apache.org/jira/browse/CONTINUUM-2620. You are welcome to
> submit an issue and an appropriate patch expanding the input allowed for
> the controls in question. From your email, it seems you would only need to
> expand the argument fields.
>
> Brent
>
> On Tue, Aug 4, 2015 at 4:57 PM, Louis Smith <dr.louis.smith@gmail.com>
> wrote:
>
> > One of the technologies that we have under Continuum management at one of
> > my clients is Oracle Forms.
> >
> > The vendor supplied scripts to build/deploy require parameters including
> a
> > database linkage parm in the form of id/pw@instance
> >
> > This seems to now have an issue - reporting "Arguments contains invalid
> > characters".
> >
> > Looks like BuildDefinitionAction-saveBuildDefinition-validation.xml has
> > gotten more aggressive in checking the arguments line.
> >
> > Advice on an easy "global" fix for this, or do I need to edit all the
> > validation.xml files?
> >
> > Thanks,
> >
> > Louis
> >
> > Dr. Louis Smith, ThD
> > Chief Technology Officer, Kyra Solutions, Inc.
> > Museum Director, Veterans Memorial Railroad
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message