Return-Path: Delivered-To: apmail-incubator-jspwiki-user-archive@locus.apache.org Received: (qmail 85130 invoked from network); 3 Jul 2008 07:01:03 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 3 Jul 2008 07:01:03 -0000 Received: (qmail 86549 invoked by uid 500); 3 Jul 2008 07:01:04 -0000 Delivered-To: apmail-incubator-jspwiki-user-archive@incubator.apache.org Received: (qmail 86528 invoked by uid 500); 3 Jul 2008 07:01:04 -0000 Mailing-List: contact jspwiki-user-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jspwiki-user@incubator.apache.org Delivered-To: mailing list jspwiki-user@incubator.apache.org Received: (qmail 86516 invoked by uid 99); 3 Jul 2008 07:01:04 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 Jul 2008 00:01:04 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of Janne.Jalkanen@ecyrd.com designates 193.64.5.122 as permitted sender) Received: from [193.64.5.122] (HELO mail.ecyrd.com) (193.64.5.122) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 Jul 2008 07:00:13 +0000 Received: from [192.168.0.10] (cs181005170.pp.htv.fi [82.181.5.170]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.ecyrd.com (Postfix) with ESMTP id 6EDD54824F for ; Thu, 3 Jul 2008 09:59:48 +0300 (EEST) Mime-Version: 1.0 (Apple Message framework v753.1) In-Reply-To: <486C3FC0.3040501@altheim.com> References: <486BDABC.3090900@altheim.com> <35937F11-9C7F-432D-A06D-DAFD9A902AE1@mac.com> <486C3FC0.3040501@altheim.com> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <82DF6053-7D0C-447D-8BDC-315BDC09642D@ecyrd.com> Content-Transfer-Encoding: 7bit From: Janne Jalkanen Subject: Re: aliases? Date: Thu, 3 Jul 2008 09:59:35 +0300 To: jspwiki-user@incubator.apache.org X-Mailer: Apple Mail (2.753.1) X-Virus-Checked: Checked by ClamAV on apache.org > Wouldn't a simple solution to that be to filter for URLs and have the > alias declaration fail upon finding any? Similarly, any XML/HTML > markup? > > E.g., if the alias string contains "<", ">", "&" or "://" we kill it. Nope. Only whitelisting works (that is, approve only [A-Za-z0-9_.] or something like that (well, the internationalized version with \ {p}). And not necessarily even then - there are SQL injection attacks which need no quote escapes. /Janne