Every solution I have seen on the web so far lays the onus on the website developer, in other words, on the application, to protect the site from XSS vulnerability.
Hmm. isn't there a container fix to it ?
http://www-128.ibm.com/developerworks/tivoli/library/s-csscript/
Cheers
Prasad
On 1/18/06, Joe Bohn <[EMAIL PROTECTED]> wrote:
I had an off-line discussion with Paul McMahan on this topic.
Our thoughts were that it is probably best to fix this problem in both
places if possible. The container fix seems best for not only the
console but also other uses ... but it is outside of our control and may
not be accepted by all containers we might support. Hence, Paul is
working on a solution for the portlet itself. We will continue to
pursue this with the container teams as well but we will ensure the
safety for 1.0.1 in our portlet.
Joe
Matt Hogstrom wrote:
> I think the Portlet is the right place to do this. That way the user is
> protected from broken containers (of which we currently have 2).
>
> John Sisson wrote:
>
>> Paul McMahan wrote:
>>
>>> Either approach should work but I would prefer to address the
>>> vulnerability in the log viewer portlet because it attaches the
>>> solution closest to where the specific problem is at. Also, the
>>> logger will be called on every request and doing the extra string
>>> manipulations could affect the web container's throughput.
>>>
>>> Best wishes,
>>> Paul
>>>
>> This reflects my sentiments as well.
>>
>> John
>>
>>>
>>> On 1/17/06, *Joe Bohn* < [EMAIL PROTECTED]
>>> <mailto:[EMAIL PROTECTED]>> wrote:
>>>
>>> Yes, this sounds like the best way to go.
>>>
>>> Regarding the specific problem with the web console displaying
>>> the web
>>> access log I'd like to get some consensus. Is this something
>>> that the
>>> containers should modify when storing the URL as part of a
>>> message in
>>> the appropriate web log? (I have confirmed this is a problem with
>>> both
>>> Tomcat and Jetty)
>>>
>>> Or, should we address this within the web access log viewer and/or
>>> management objects to modify the content of the log records when
>>> they
>>> are being displayed.
>>>
>>> My preference would be to make the modification at the time the log
>>> record is created.
>>>
>>> Joe
>>>
>>>
>>
>>
>>
>>
>>
>
>
--
Joe Bohn
joe.bohn at earthlink.net
"He is no fool who gives what he cannot keep, to gain what he cannot
lose." -- Jim Elliot
