On Wed, Apr 13, 2011 at 3:14 PM, Brett Porter <[email protected]> wrote:
> > > On 13/04/2011, at 4:36 PM, [email protected] wrote: > > > Author: ctan > > Date: Wed Apr 13 06:36:20 2011 > > New Revision: 1091669 > > > > URL: http://svn.apache.org/viewvc?rev=1091669&view=rev > > Log: > > [CONTINUUM-2620] use c:out and fn:escapeXml to prevent XSS attacks > > It's good to be cautious in this area, but most of the c:out's are > overprotective (e.g. things that are generated by the app). I'd like to make > sure we catch these things where they are invalid on the way in, rather than > just on the page. > > Will still be adding/modifying validations in the action classes. > I'm not sure the fn:escapeXml is useful. On the redback tags, there's no > XSS risk as it never gets onto the page. For the following, it might not be > sufficient: > > <a style="border: 1px solid #DFDEDE; padding-left: 1em; padding-right: 1em; > text-decoration: none;" href="${fn:escapeXml(projectGroupMembersUrl)}" > > What happens if the url contains this? > > " onerror="javascript:alert('gotcha') > > I think as long as those URLs are properly validated where they are created > they should be fine without the fn. > > Ok noted. Thanks, -- Marica > - Brett > > -- > Brett Porter > [email protected] > http://brettporter.wordpress.com/ > >
