[
https://issues.apache.org/jira/browse/SHINDIG-89?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kevin Brown closed SHINDIG-89.
------------------------------
Resolution: Fixed
rev630172
> Prefs / view parameter escaping
> -------------------------------
>
> Key: SHINDIG-89
> URL: https://issues.apache.org/jira/browse/SHINDIG-89
> Project: Shindig
> Issue Type: Improvement
> Components: Features
> Reporter: Kevin Brown
> Assignee: Kevin Brown
> Attachments: escaping-patch.patch
>
>
> Currently, we do not escape gadgets.Prefs or gadgets.views parameters.
> This could potentially result in exploits of data by malicious outside sites.
> To remedy this, I propose the attached patch.
> As it stands, the spec is silent on the escaping issue, but in practice
> gmodules.com already does this escaping for user prefs and I suspect that
> other container sites do as well.
> I've also included an unescaping mechanism that I think should ultimately be
> proposed to the spec discussion group, but that's a later issue.
> Feedback is much appreciated. If no one objects, I'll commit this change
> tomorrow morning.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
