incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Jaquith <andrew.jaqu...@mac.com>
Subject Re: question on username
Date Sat, 08 Dec 2007 17:08:19 GMT
Yeah, the backslash is something we need to preserve. My general  
paranoid urge says that it's best to remove quotes and other special  
characters upon input to eliminate XSS. But an equally valid strategy  
is simple to make sure the *output* is properly escaped using  
TextUtil. That is probably more compatible.

Lemme check out the code and think about this a bit more...

On Dec 8, 2007, at 7:44, Janne Jalkanen <Janne.Jalkanen@ecyrd.com>  
wrote:

>
> I think it's okay to remove all the quotes, but I think some people  
> are using some weird windows names, which include a backslash.  And  
> some systems also offer brackets.
>
> So I don't really know what the allowed set of characters should  
> be.  Maybe some people are using quotes as well.
>
> /Janne
>
> On 6 Dec 2007, at 20:54, Dirk Frederickx wrote:
>
>> Ref. xss vulnerability
>>
>> Which characters are allowed in the jspwiki username ?  
>> <wiki:Username/>
>>
>>> From what I can see, there are  only checks on isBlank, all other
>> characters seem to be allowed.
>> Also the single quote, which is dangerous in the common-header.jsp,
>> where the username is inserted as javascript string.
>>
>>
>>
>> dirk
>

Mime
View raw message