WO-Applications are indeed vulnerable to cross-site-scripting if end-users are allowed to submit HTML. An example would be an Online-HTML-editor which allows users to edit formatted text in their browsers.
In order to remove unwanted and malicious code from the submitted HTML and avoid cross-site-Scripting issues one has to filter the submitted content on server side. For this task I have found AntiSamy to be a useful solution https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project Josef Am 12.07.2011 um 09:36 schrieb Simon: > i think core WO is still plagued with the wosid cross-scripting issue too. we > patch it in ERXRequest - not sure if the patch ever made it into wonder > though... > > simon > > > On 12 July 2011 02:43, Mike Schrag <msch...@pobox.com> wrote: > You have to be mindful of ever rendering any tainted strings ... Any string > that came from user input should be considered a risk for cross site > scripting, so that's any field editable by a user, or any query parameter, > etc. If you append those strings to response or <WOString> render them, make > sure to escape HTML or strip HTML. > > ms > > On Jul 11, 2011, at 9:41 PM, Mai Nguyen wrote: > > > Do you mean the issue of malicious HTML tags? > > > > I wonder what would be the best way to prevent those? > > > > thanks, > > > > mai > > > > > > On Jul 11, 2011, at 6:36 PM, George Domurot wrote: > > > >> If you output strings with escapeHTML=false, you could have an issue. > >> You may want to consider stripping all potential tags from strings prior > >> to rendering, or at the time of entry. > >> > >> -G > >> > >> On Jul 11, 2011, at 6:01 PM, Mai Nguyen wrote: > >> > >>> Hello, > >>> I have found some good information about WebObjects and security at the > >>> following wiki link: > >>> > >>> http://en.wikibooks.org/wiki/WebObjects/Web_Applications/Development/Authentication_and_Security > >>> > >>> However, there is no mention about SQL injections which seems to be an > >>> active subject lately. Is WebObjects pretty safe, as there is no need to > >>> generate SQL directly and access to the DB is going through the EOs > >>> normally? > >>> Are there any other loopholes that I am not aware of? > >>> About the following article: > >>> http://support.apple.com/kb/TA26730?viewlocale=en_US > >>> Would the normal WebObjects behavior be pretty safe if one does not allow > >>> the user to enter HTML tags? Does Project Wonder do something in this > >>> area? > >>> > >>> Many thanks for your advice, > >>> > >>> -mai _______________________________________________ > >>> Do not post admin requests to the list. They will be ignored. > >>> Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) > >>> Help/Unsubscribe/Update your Subscription: > >>> http://lists.apple.com/mailman/options/webobjects-dev/george%40boxofficetickets.com > >>> > >>> This email sent to geo...@boxofficetickets.com > >> > > > > _______________________________________________ > > Do not post admin requests to the list. They will be ignored. > > Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) > > Help/Unsubscribe/Update your Subscription: > > http://lists.apple.com/mailman/options/webobjects-dev/mschrag%40pobox.com > > > > This email sent to msch...@pobox.com > > _______________________________________________ > Do not post admin requests to the list. They will be ignored. > Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) > Help/Unsubscribe/Update your Subscription: > http://lists.apple.com/mailman/options/webobjects-dev/simon%40potwells.co.uk > > This email sent to si...@potwells.co.uk > > _______________________________________________ > Do not post admin requests to the list. They will be ignored. > Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) > Help/Unsubscribe/Update your Subscription: > http://lists.apple.com/mailman/options/webobjects-dev/jmb-dev%40burzler.eu > > This email sent to jmb-...@burzler.eu -- Dr. Josef Burzler Phone +49-(0)941-69 84 84-37 j.burz...@selbstdenker.ag =================================== SELBSTDENKER AG - No Vision Too Far Gesandtenstraße 10 93047 Regensburg Phone +49-(0)941-69 84 84-0 Fax +49-(0)941-69 84 84-99 b...@selbstdenker.ag http://www.selbstdenker.ag Niederlassung: Regensburg Handelsregister: Regensburg HRB 7860 Vorstand/CEO: Herr Stephan Fürnrohr Vors. des Aufsichtsrates/Chairman of the board: Herr Dipl. Betriebswirt (FH) Richard Sibinger
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com