Return-Path: Delivered-To: apmail-incubator-jspwiki-dev-archive@locus.apache.org Received: (qmail 59693 invoked from network); 8 Dec 2007 17:09:04 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 8 Dec 2007 17:09:04 -0000 Received: (qmail 37151 invoked by uid 500); 8 Dec 2007 17:08:52 -0000 Delivered-To: apmail-incubator-jspwiki-dev-archive@incubator.apache.org Received: (qmail 37142 invoked by uid 500); 8 Dec 2007 17:08:52 -0000 Mailing-List: contact jspwiki-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jspwiki-dev@incubator.apache.org Delivered-To: mailing list jspwiki-dev@incubator.apache.org Received: (qmail 37133 invoked by uid 99); 8 Dec 2007 17:08:52 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 08 Dec 2007 09:08:52 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [17.148.16.82] (HELO smtpoutm.mac.com) (17.148.16.82) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 08 Dec 2007 17:08:53 +0000 Received: from mac.com (asmtp009-s [10.150.69.72]) by smtpoutm.mac.com (Xserve/smtpout019/MantshX 4.0) with ESMTP id lB8H8Whb007815 for ; Sat, 8 Dec 2007 09:08:32 -0800 (PST) Received: from [10.68.25.234] (mobile-032-137-224-220.mycingular.net [32.137.224.220] (may be forged)) (authenticated bits=0) by mac.com (Xserve/asmtp009/MantshX 4.0) with ESMTP id lB8H8QpB018236 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Sat, 8 Dec 2007 09:08:30 -0800 (PST) References: <15cc92000712061054j6874696cx4884b06817453ec8@mail.gmail.com> <4C14FAE5-6A55-40A2-861E-545B4FE542C3@ecyrd.com> Message-Id: <7A5D4756-6E94-4C2C-9717-C1EDD29E7220@mac.com> From: Andrew Jaquith To: "jspwiki-dev@incubator.apache.org" In-Reply-To: <4C14FAE5-6A55-40A2-861E-545B4FE542C3@ecyrd.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes X-Mailer: iPhone Mail (3B48b) Mime-Version: 1.0 (iPhone Mail 3B48b) Subject: Re: question on username Content-Transfer-Encoding: 7bit Date: Sat, 8 Dec 2007 12:08:19 -0500 Cc: "jspwiki-dev@incubator.apache.org" X-Virus-Checked: Checked by ClamAV on apache.org Yeah, the backslash is something we need to preserve. My general paranoid urge says that it's best to remove quotes and other special characters upon input to eliminate XSS. But an equally valid strategy is simple to make sure the *output* is properly escaped using TextUtil. That is probably more compatible. Lemme check out the code and think about this a bit more... On Dec 8, 2007, at 7:44, Janne Jalkanen wrote: > > I think it's okay to remove all the quotes, but I think some people > are using some weird windows names, which include a backslash. And > some systems also offer brackets. > > So I don't really know what the allowed set of characters should > be. Maybe some people are using quotes as well. > > /Janne > > On 6 Dec 2007, at 20:54, Dirk Frederickx wrote: > >> Ref. xss vulnerability >> >> Which characters are allowed in the jspwiki username ? >> >> >>> From what I can see, there are only checks on isBlank, all other >> characters seem to be allowed. >> Also the single quote, which is dangerous in the common-header.jsp, >> where the username is inserted as javascript string. >> >> >> >> dirk >