On 13/04/2011, at 4:36 PM, [email protected] wrote:
> Author: ctan > Date: Wed Apr 13 06:36:20 2011 > New Revision: 1091669 > > URL: http://svn.apache.org/viewvc?rev=1091669&view=rev > Log: > [CONTINUUM-2620] use c:out and fn:escapeXml to prevent XSS attacks It's good to be cautious in this area, but most of the c:out's are overprotective (e.g. things that are generated by the app). I'd like to make sure we catch these things where they are invalid on the way in, rather than just on the page. I'm not sure the fn:escapeXml is useful. On the redback tags, there's no XSS risk as it never gets onto the page. For the following, it might not be sufficient: <a style="border: 1px solid #DFDEDE; padding-left: 1em; padding-right: 1em; text-decoration: none;" href="${fn:escapeXml(projectGroupMembersUrl)}" What happens if the url contains this? " onerror="javascript:alert('gotcha') I think as long as those URLs are properly validated where they are created they should be fine without the fn. - Brett -- Brett Porter [email protected] http://brettporter.wordpress.com/
