Bugs item #3029502, was opened at 2010-07-14 05:40 Message generated for change (Comment added) made by pegacat You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=480577&aid=3029502&group_id=55394
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Interface (example) Group: None >Status: Closed >Resolution: Rejected Priority: 5 Private: No Submitted By: Michal Ambroz (rebus) >Assigned to: Christopher Betts (pegacat) Summary: User interface allows XSS Initial Comment: Some attributes/values are vulnerable to cross site scripting when being displayed in the HTML view mode. Input from the LDAP should be sanitized before it is used in HTML code to display in HTML view. I am not sure how clever the HTML view widget is and how much it would be possible to misuse this vulnerability. On attached screenshot the value of attribute postaladdress contains attempt to inject javascript. The java script is not executed, but it deforms the presented page which means it is processed somehow. ---------------------------------------------------------------------- >Comment By: Christopher Betts (pegacat) Date: 2012-01-03 03:32 Message: The standard java HTML pane is used, and it's not capable of executing scripts. I suppose someone could put a dodgy link in, but even then the html browser is extremely limited. Unless I can be shown a clear security risk here I don't think it's worth the effort (and performance hit) to parse text for XSS. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=480577&aid=3029502&group_id=55394 ------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev _______________________________________________ Jxplorer-devel mailing list Jxplorer-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jxplorer-devel
