incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Jaquith <>
Subject Re: JSPWiki "Special Pages"
Date Tue, 27 Nov 2007 13:20:04 GMT
Both of these ideas - arbitrary JavaScript injection and JSP injection  
via wikipage - are terrible ideas. They are guaranteed to get your  
site 0wed by an attacker.

Do not do this. Instead, customise the JSPs directly.


On Nov 27, 2007, at 3:09, Matthias K├Ąppler <>  

> Hi Terry,
> 2007/11/26, Terry Steichen <>:
>> Matthias,
>> Upon rereading your post, I think you raise a couple of issues that  
>> are
>> kind of intertwined.  First, you seem to be asking if you can display
>> your own JSP within JSPWiki (rather than being restricted to using  
>> only
>> text-based wikipages).  Second (assuming that the answer is 'yes'  
>> to the
>> first question), you ask if you can use the 'specialPage' feature to
>> link to this new page from an ordinary wikipage (like LeftMenu).
>> The answer to both questions is 'yes', but there's a small amount of
>> customizing (to ViewTemplate.jsp) that needs to be done to accomplish
>> this.  But before getting into how this can be done, maybe you can
>> confirm that you did indeed intend to ask the two above questions I
>> describe above (or perhaps add some additional clarification).
> That is correct, I am writing a Dojo-driven semantic search  
> interface, so I
> have to run a lot of client-side JavaScript in that JSP. Of course I  
> also
> want the search be reachable from the LeftMenu (or any other  
> wikipage). So,
> yes, these two problems are connected and I'd be glad for any hints.
> Best,
> Matthias

View raw message