On 24 Mar 2010, at 23:12, David Connors <[email protected]> wrote:
On 25 March 2010 08:48, Liam McLennan <[email protected]> wrote:
customer is a view model, so customer.Name will never be null
That isn't the issue ... you might want to check how many Mr
OnMouseOvers (occupation Cookie Thief) there are in your customer
database. ;)
Or for those that missed the subtlety, if your customer's name is:
<script>alert('boo'):</script>Smith
Replace the alert with any JavaScript you like to, for example, steal
cookies, inject into the page, re-direct to malware site, etc. Any if
one didn't do the obvious alert(), the script tag would be invisible
to anyone.
Don't just think it's affecting the "customer's" own view, think what
you might do if that same data is being viewed by internal support
staff who might be local admins and have the web site in Trusted Sites.
Oh, the fun one could have...
--
David Connors ([email protected])
--
Richard Carde
