I opened a new JIRA issue for it:
https://issues.apache.org/jira/browse/JS2-656, as well as committed a fix :)
The reported vulnerability is no longer possible.
Regards, Ate
David Sean Taylor wrote:
We're working on a fix, thanks
On Mar 2, 2007, at 12:31 AM, Santiago Gala wrote:
El mar, 27-02-2007 a las 15:23 +0100, Eric Nolte escribió:
Hi,
it seams that Jetspeed in it's default configuration is vulnerable to
cross site scriptings like this:
http://localhost:8080/jetspeed/portal/pages/default-page.psml/%22%3e%3cscript%3ealert(%27XSS%20test%27)%3c/script%3e
My question is how can i prevent this?
One possibility is to write a valve and filter the URL. Depending on
the pattern of the URL I can reject the request.
Do you have a better idea how to solve this or is there already a
common way for doing this?
Could you please report it as a JIRA issue? IMO this is a blocker if it
is still present in 2.1rc*
Regards
Santiago
Thanks in advance.
Regards,
Eric
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--David Sean Taylor
Bluesunrise Software
[EMAIL PROTECTED]
[office] +01 707 773-4646
[mobile] +01 707 529 9194
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
