on 11/8/2000 4:03 AM, "Chris Kimpton" <[EMAIL PROTECTED]> wrote:
> Hi,
>
> We were just testing our site and someone found that they could put javascript
> code into our tables - which was then processed upon re-displaying the data!
This is called the "Cross Site Scripting Vulnerability".
> My first thoughts to handle this are to do a replace of chars like < and >
> with the HTML printable versions - < >.
>
> So - anyone handled this before - does this seem like the best solution? And
> anyone got a utility for it? I can't see any obvious solutions in
> Turbine/JSDK/JDK.
Actually, there is one, but it is badly placed and fairly hidden. It should
also be implemented with regular expressions instead of ECS.
At the bottom of the Screen module, John started to work on this...
<http://www.working-dogs.com/turbine/cvsweb/index.cgi/turbine/src/java/org/a
pache/turbine/modules/Screen.java?rev=1.2&content-type=text/x-cvsweb-markup>
> If not, I could code it and contribute it back to turbine - as a stringutil or
> parameter parsers method.
We still need to discuss where it would go.
> It would take a string and replace the few special chars with there encoded
> versions, for example < becomes <
It is more than just that, but that is a good start. I suggest that you do
some reading on the CSSV issues and then make a proposal.
-jon
--
http://scarab.tigris.org/ | http://noodle.tigris.org/
http://java.apache.org/ | http://java.apache.org/turbine/
http://www.working-dogs.com/ | http://jakarta.apache.org/velocity/
http://www.collab.net/ | http://www.sourcexchange.com/
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Search: <http://www.mail-archive.com/turbine%40list.working-dogs.com/>
Problems?: [EMAIL PROTECTED]
