hi ortwin, thx for reporting the issue! (fyi: please send such topics to the dev-list)
@thomas: we need to use maxWindowIdCount there as well. regards, gerhard 2015-07-17 16:01 GMT+02:00 Ortwin Escher <[email protected]>: > Hello, > > The WindowIdHtmlRenderer writes the cookie content of the dsrwid cookie > directly into the page body when using the <ds:windowId/> tag. You might > want to escape the content, do a sanity check or at least do the same > shortening the windowId request parameter has. > > A small example: Having a cookie like "dsrwid--9414" with the content > "-9414'+alert('HelloWorld')+'" will open a HelloWorld alert when the > window id is "-9414". > > Kind regards > > Ortwin Escher > > Fachreferent, Fahrzeug IT, VC-M1 > > IAV GmbH > Rockwellstrasse 16 > 38518 GIFHORN > GERMANY > > Internet: http://www.iav.com > > Sitz/Registered Office: Berlin, > Registergericht/Registration Court: Amtsgericht Charlottenburg, > Registernummer/Company Registration Number: HRB 21 280, > Geschäftsführer/Managing Directors: Kurt Blumenröder, Michael Schubert, > Olaf Kupke > Vorsitzender des Aufsichtsrates/Chairman of the Supervisory Board: Dr. > Harald Ludanek
