[jira] Commented: (SHINDIG-89) Prefs / view parameter escaping

Thu, 11 Dec 2008 15:26:13 -0800 

    [ 
https://issues.apache.org/jira/browse/SHINDIG-89?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12655807#action_12655807
 ] 

Tim Moore commented on SHINDIG-89:
----------------------------------

OK, do you want to point me to the right part of the spec?

It doesn't say anything about escaping pref values in any of these documents:

http://www.opensocial.org/Technical-Resources/opensocial-spec-v08/gadgets-reference08#gadgets.Prefs.getString
http://www.opensocial.org/Technical-Resources/opensocial-spec-v08/gadget-spec 
http://opensocial-resources.googlecode.com/svn/spec/0.8/gadgets/prefs.js
http://code.google.com/apis/gadgets/docs/reference/#gadgets.Prefs.getString

And I see no mention of it in the release notes at 
http://www.opensocial.org/Technical-Resources/opensocial-release-notes

The only related change that I can see is this: 
http://www.opensocial.org/Technical-Resources/opensocial-spec-v08/opensocial-reference08#opensocial.DataRequest.DataRequestFields.ESCAPE_TYPE
 which doesn't have anything to do with gadgets.Prefs AFAICT

> Prefs / view parameter escaping
> -------------------------------
>
>                 Key: SHINDIG-89
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-89
>             Project: Shindig
>          Issue Type: Improvement
>          Components: Features (Javascript)
>            Reporter: Kevin Brown
>            Assignee: Kevin Brown
>         Attachments: escaping-patch.patch
>
>
> Currently, we do not escape gadgets.Prefs or gadgets.views parameters.
> This could potentially result in exploits of data by malicious outside sites.
> To remedy this, I propose the attached patch.
> As it stands, the spec is silent on the escaping issue, but in practice 
> gmodules.com already does this escaping for user prefs and I suspect that 
> other container sites do as well.
> I've also included an unescaping mechanism that I think should ultimately be 
> proposed to the spec discussion group, but that's a later issue.
> Feedback is much appreciated. If no one objects, I'll commit this change 
> tomorrow morning.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to