Cheers
Prasad
On 1/18/06, Prasad Kashyap <[EMAIL PROTECTED]> wrote:
Jeff, to answer your question about containers on other servers handling XSS, I can say that WebSphere too leaves it to the apps to protect themselves. Would it be too paranoid for a container to handle this ?
Joe, the scripts can be entered on the request just like any other parameter using the input field.
Eg. You have a login page with a field for loginid. The user enters a script in the field. Now assume that security is turned off and just about any userid is allowed inside. After logging in, the consolde displays a "Welcome <userid>" somewhere there. Had the user entered a script, it would have been executed soon after the Welcome rendered.
Another example. Say you have a search url. http://localhost:8080/console/search.jsp?pattern="<script>alert('hi')</script>"
When the search servlet can't find that pattern, if it is designed to render a page that says, "<pattern> not found", then the script will be executed at that stage.
Cheers
PrasadOn 1/18/06, Dave Colasurdo < [EMAIL PROTECTED]> wrote:
Snippets from another offline conversation with the Tomact folks..
>> Has Tomcat (the container) considered checking input URIs for scripting
>> tags and rendering them innocuous by substitution ( e.g. <script> -->
>> <script>) therefore never writing back scripting tags to the
>> browser? Are there drawbacks to this approach?
I think it's been considered in the past, though I'm not certain what
the conclusions were. It wouldn't be that hard to do with a Valve for
the server as a whole, or with a Filter (which would also be
server-independent and thus more portable) for a specific webapp.
>> Do you forsee any difficulty with using a jsp-examples snapshot from
>> 5.5.16 with the Tomcat 5.5.15 runtime?
No, that should be fine.
>> Better yet, any chance of
>> getting the TC 5.5.15 jsp-examples war with the security vulnerability
>> fixed?
No, we don't want to re-package and re-tag for this issue.
