El mar, 27-02-2007 a las 15:23 +0100, Eric Nolte escribió: > Hi, > > it seams that Jetspeed in it's default configuration is vulnerable to > cross site scriptings like this: > http://localhost:8080/jetspeed/portal/pages/default-page.psml/%22%3e%3cscript%3ealert(%27XSS%20test%27)%3c/script%3e > > My question is how can i prevent this? > One possibility is to write a valve and filter the URL. Depending on > the pattern of the URL I can reject the request. > > Do you have a better idea how to solve this or is there already a > common way for doing this? >
Could you please report it as a JIRA issue? IMO this is a blocker if it is still present in 2.1rc* Regards Santiago > Thanks in advance. > > Regards, > Eric > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
