incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Janne Jalkanen <Janne.Jalka...@ecyrd.com>
Subject Re: aliases?
Date Thu, 03 Jul 2008 06:59:35 GMT
> Wouldn't a simple solution to that be to filter for URLs and have the
> alias declaration fail upon finding any? Similarly, any XML/HTML  
> markup?
>
> E.g., if the alias string contains "<", ">", "&" or "://" we kill it.

Nope.  Only whitelisting works (that is, approve only [A-Za-z0-9_.]  
or something like that (well, the internationalized version with \ 
{p}).  And not necessarily even then - there are SQL injection  
attacks which need no quote escapes.

/Janne

Mime
View raw message