@Raine,
Thanks for the valuable information. I can examine the code if someone is
willing to grant proper access.
-Tres
- tres.finocchi...@gmail.com
On Wed, Jul 16, 2014 at 7:27 AM, Raine M. Ekman <ra...@iki.fi> wrote:
> Quoting Tres Finocchiaro <tres.finocchi...@gmail.com>:
>
> > Php can check the header and block requests from 3rd party domains
> (modern
> > web browsers actually do this automatically unless the site explicitly
> > allow cross domain resources), but I don't have access to see our current
> > site and it would be my first time doing this. Furthermore, I don't
> think
> > this will help because the OP seems to be injecting <script> tags into
> the
> > page by using Unicode escaping techniques (the idea is someone could
> make a
> > custom version of our page by manipulating a long URL, or worse, post
> spam
> > on behalf of a logon section by invoking buttons unbeknownst to the
> logged
> > in user.
>
> Basically the steps to cure XSS problems are:
>
> 1. Sanitize input, it looks like at least on the public side everything
> goes
> through a few parameters to index.php which should make this simple.
>
> Something in this style at the top of the script might go quite some way:
>
> if(!in_array($_REQUEST["action"], $legalActions)) {
> // do something: error out, strip out extra data, select a default
> action
> }
>
>
> 2. Sanitize output, i.e. don't display anything that's come in from
> the Internet without removing everything that looks like (unwanted)
> HTML. This includes most user-generated content that comes from the
> database...
>
>
> --
> ra...@iki.fi
> softrabbit on #lmms
>
>
>
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> LMMS-devel mailing list
> LMMS-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lmms-devel
>
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
LMMS-devel mailing list
LMMS-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lmms-devel
