Hi, I'm still confused as to how you get a JavaScript alert.
Here is a sort example: http://click.avoka.com/click-examples/table/table-sorting.htm What do you change in the url to get the alert? Can you post the url here? kind regards Bob On Wed, Mar 21, 2012 at 7:18 PM, foxesout <[email protected]> wrote: > Bob, > Thanks for your reply. > This is done as part of the cross site scripting testing, so what we put in > the URL may seem strange but it reveals the possible volnurabilities. > > No - i don't have these variables displayed on the pages, they are not part > of the Velocity Templates. > > This happens during the sort for example. If you click on a column to sort > and then in the URL substitute that column name with something that has or > similar, you will get a java script alert. Or an ID parameter that is bound > on the page but not displayed, if substituted with an above string - will > get you an alert. > > Is there a way to catch this? > > Thanks so much for the help. > > -- > View this message in context: > http://click.1134972.n2.nabble.com/Javascript-is-executed-before-the-Filter-Cross-site-scripting-tp7392633p7392891.html > Sent from the click-user mailing list archive at Nabble.com.
