Bob, Thanks for your reply. This is done as part of the cross site scripting testing, so what we put in the URL may seem strange but it reveals the possible volnurabilities.
No - i don't have these variables displayed on the pages, they are not part of the Velocity Templates. This happens during the sort for example. If you click on a column to sort and then in the URL substitute that column name with something that has or similar, you will get a java script alert. Or an ID parameter that is bound on the page but not displayed, if substituted with an above string - will get you an alert. Is there a way to catch this? Thanks so much for the help. -- View this message in context: http://click.1134972.n2.nabble.com/Javascript-is-executed-before-the-Filter-Cross-site-scripting-tp7392633p7392891.html Sent from the click-user mailing list archive at Nabble.com.
