But giving somebody a fraudulent link is not cross-site scripting, and
browser certificate checks would catch that anyway.
Only the service provider has control over the contents of the
https://www.mybank.com/services/BankingService?wsdl page, Bad Guy has no
opportunities to enter in data that could alter that page, so I don't
see where the XSS concern is.
Glen
On 2/24/2011 12:20 PM, Rhenius, Karl Stefan wrote:
But how could Bad Guy inject that on the Available SOAP
services page?
AFAIK cross-site scripting is only a problem when you allow
user entry
of fields that are reproduced as-is on HTML pages.
He can give you a link that misuses a trustworthy domain to show his
content
Karl
