Prefs / view parameter escaping
-------------------------------
Key: SHINDIG-89
URL: https://issues.apache.org/jira/browse/SHINDIG-89
Project: Shindig
Issue Type: Improvement
Components: Features
Reporter: Kevin Brown
Assignee: Kevin Brown
Currently, we do not escape gadgets.Prefs or gadgets.views parameters.
This could potentially result in exploits of data by malicious outside sites.
To remedy this, I propose the attached patch.
As it stands, the spec is silent on the escaping issue, but in practice
gmodules.com already does this escaping for user prefs and I suspect that other
container sites do as well.
I've also included an unescaping mechanism that I think should ultimately be
proposed to the spec discussion group, but that's a later issue.
Feedback is much appreciated. If no one objects, I'll commit this change
tomorrow morning.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
