"kevin furze" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> just a question that we don't need to rush to answer, just curious
> because its in an intranet environment
>
> I created a csp page and included a call to #server
> when its generated into html code, I see the following
>
> // invoke #server(csp.findadealer.formLoad())
Seems somewhat unnecessary. On the otherhand, the encoded method is
unreadable so, in a complex JS construct, it might be nice to know. Perhaps
a compiler directive or flag could turn those off.
> return
> (cspRunServerMethod('JS_5bPNTkxV3Jgt1F6bgw_b/p_AE5pIg3Ue8DtjEajG291W-
> b32/arpdfdvr5vftA','') == 1);
>
> so the question is, I can see the
> // invoke #server(csp.findadealer.formLoad())
>
> what's the quick way to get that hidden. (seems like a security hole ??
You have to be smarter to me to find a way to change the parameter of
cspRunServerMethod to run "csp.pagename.knownEvilServerMethod()", encode it
and send it to the server. My assumption is that the key to the encoding is
stored in the user session, so there is no way to hack a different method
into the system.
--
John Bertoglio
Senior Consultant
co-laboratory
office: 503-538-8691
mobile: 503.330.6713
fax: 503.538.8691
www.co-laboratory.com
> )
>
>
> kev
>
