Hi, Does anyone whether it is fixed? i saw in apache sites, but when i try doing the below URL, i still see the issue.. http://localhost:8080/jetspeed/portal/F6%22%20onmouseover=prompt(900041)%20
pls help regards anushh Santiago Gala wrote: > > El mar, 27-02-2007 a las 15:23 +0100, Eric Nolte escribió: >> Hi, >> >> it seams that Jetspeed in it's default configuration is vulnerable to >> cross site scriptings like this: >> http://localhost:8080/jetspeed/portal/pages/default-page.psml/%22%3e%3cscript%3ealert(%27XSS%20test%27)%3c/script%3e >> >> My question is how can i prevent this? >> One possibility is to write a valve and filter the URL. Depending on >> the pattern of the URL I can reject the request. >> >> Do you have a better idea how to solve this or is there already a >> common way for doing this? >> > > Could you please report it as a JIRA issue? IMO this is a blocker if it > is still present in 2.1rc* > > Regards > Santiago > >> Thanks in advance. >> >> Regards, >> Eric >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: jetspeed-user-unsubscr...@portals.apache.org >> For additional commands, e-mail: jetspeed-user-h...@portals.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: jetspeed-dev-unsubscr...@portals.apache.org > For additional commands, e-mail: jetspeed-dev-h...@portals.apache.org > > > -- View this message in context: http://old.nabble.com/Cross-Site-Scripting-Vulnerability--was%3A-Filter-URLs--tp9265898p34576100.html Sent from the Jetspeed - Dev mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: jetspeed-dev-unsubscr...@portals.apache.org For additional commands, e-mail: jetspeed-dev-h...@portals.apache.org
