Hi, 2007/11/27, Andrew Jaquith <[EMAIL PROTECTED]>: > > Both of these ideas - arbitrary JavaScript injection and JSP injection > via wikipage - are terrible ideas. They are guaranteed to get your > site 0wed by an attacker. > > Do not do this. Instead, customise the JSPs directly.
Not sure what you're getting at. Are you saying one should not add his custom JSPs to JSPWiki? By that logic you couldn't use any JSPs at all. And if you're linking to them through a wiki link or by simply entering its address in the browser location bar shouldn't make any difference in terms of security. All I am doing is adding yet another JSP to JSPWiki which uses JavaScript for some UI logic and asynchronous HTTP requests. If adding custom JSPs which make use of standard JavaScript opens security holes in JSPWiki, then JSPWiki may be fundamentally broken in terms of security. Best, Matthias
