jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matthias K├Ąppler" <m.kaepp...@googlemail.com>
Subject Re: JSPWiki "Special Pages"
Date Tue, 27 Nov 2007 13:35:43 GMT

2007/11/27, Andrew Jaquith <andrew.jaquith@mac.com>:
> Both of these ideas - arbitrary JavaScript injection and JSP injection
> via wikipage - are terrible ideas. They are guaranteed to get your
> site 0wed by an attacker.
> Do not do this. Instead, customise the JSPs directly.

Not sure what you're getting at. Are you saying one should not add his
custom JSPs to JSPWiki? By that logic you couldn't use any JSPs at all. And
if you're linking to them through a wiki link or by simply entering its
address in the browser location bar shouldn't make any difference in terms
of security.

All I am doing is adding yet another JSP to JSPWiki which uses JavaScript
for some UI logic and asynchronous HTTP requests. If adding custom JSPs
which make use of standard JavaScript opens security holes in JSPWiki, then
JSPWiki may be fundamentally broken in terms of security.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message