Quoting Tres Finocchiaro <tres.finocchi...@gmail.com>:
> Php can check the header and block requests from 3rd party domains (modern
> web browsers actually do this automatically unless the site explicitly
> allow cross domain resources), but I don't have access to see our current
> site and it would be my first time doing this. Furthermore, I don't think
> this will help because the OP seems to be injecting <script> tags into the
> page by using Unicode escaping techniques (the idea is someone could make a
> custom version of our page by manipulating a long URL, or worse, post spam
> on behalf of a logon section by invoking buttons unbeknownst to the logged
> in user.
Basically the steps to cure XSS problems are:
1. Sanitize input, it looks like at least on the public side everything goes
through a few parameters to index.php which should make this simple.
Something in this style at the top of the script might go quite some way:
if(!in_array($_REQUEST["action"], $legalActions)) {
// do something: error out, strip out extra data, select a default action
}
2. Sanitize output, i.e. don't display anything that's come in from
the Internet without removing everything that looks like (unwanted)
HTML. This includes most user-generated content that comes from the
database...
--
ra...@iki.fi
softrabbit on #lmms
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
LMMS-devel mailing list
LMMS-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lmms-devel
