Where I am going at with this...is this a vulnerability caused by coding the apps, or the containers themselves?
i.e., Will I have this problem with a perl app running on httpd? or ASP/C# on IIS? Is this type of vulnerability a facet of responsibility that lies on the container, or the developer? I am just trying to assess this as a true vulnerability from a web container perspective. I am assuming, that yes, the container could change the < and > to lt&; and gt&;. But, I am wondering where we draw the line and wonder if that is too heavy handed. If the other web servers provide protection from this, then I guess its safe to assume we should follow the pack. OTOH, I surely would not want to take away too much responsibility of the developer to ensure they are properly securing their own apps, while maintaining a bit of flexibility for them. Jeff Kevan Miller wrote: > > On Jan 18, 2006, at 11:24 AM, Jeff Genender wrote: > >> So assuming this appears to be somewhat "examples" related, is this >> truly a container problem, or just the jsp examples implementation? > > IANASE, but it seems that any vulnerabilities must be fixed in the apps > themselves -- certainly seems like the only course of action for G > 1.0.1. I'm currently aware of problems with samples and the admin console. > > Apps must insure they return appropriate content to clients. I don't see > how a container could provide general XSS protection... I'm sure there > are people who know much more than I on the topic... > > --kevan
