My recommendation is to only use cookie session ids and actually throw very early if you get a URL session id.
Sent from my iPhone On Jul 12, 2011, at 3:36 AM, Simon <si...@potwells.co.uk> wrote: > i think core WO is still plagued with the wosid cross-scripting issue too. we > patch it in ERXRequest - not sure if the patch ever made it into wonder > though... > > simon > > > On 12 July 2011 02:43, Mike Schrag <msch...@pobox.com> wrote: > You have to be mindful of ever rendering any tainted strings ... Any string > that came from user input should be considered a risk for cross site > scripting, so that's any field editable by a user, or any query parameter, > etc. If you append those strings to response or <WOString> render them, make > sure to escape HTML or strip HTML. > > ms > > On Jul 11, 2011, at 9:41 PM, Mai Nguyen wrote: > > > Do you mean the issue of malicious HTML tags? > > > > I wonder what would be the best way to prevent those? > > > > thanks, > > > > mai > > > > > > On Jul 11, 2011, at 6:36 PM, George Domurot wrote: > > > >> If you output strings with escapeHTML=false, you could have an issue. > >> You may want to consider stripping all potential tags from strings prior > >> to rendering, or at the time of entry. > >> > >> -G > >> > >> On Jul 11, 2011, at 6:01 PM, Mai Nguyen wrote: > >> > >>> Hello, > >>> I have found some good information about WebObjects and security at the > >>> following wiki link: > >>> > >>> http://en.wikibooks.org/wiki/WebObjects/Web_Applications/Development/Authentication_and_Security > >>> > >>> However, there is no mention about SQL injections which seems to be an > >>> active subject lately. Is WebObjects pretty safe, as there is no need to > >>> generate SQL directly and access to the DB is going through the EOs > >>> normally? > >>> Are there any other loopholes that I am not aware of? > >>> About the following article: > >>> http://support.apple.com/kb/TA26730?viewlocale=en_US > >>> Would the normal WebObjects behavior be pretty safe if one does not allow > >>> the user to enter HTML tags? Does Project Wonder do something in this > >>> area? > >>> > >>> Many thanks for your advice, > >>> > >>> -mai _______________________________________________ > >>> Do not post admin requests to the list. They will be ignored. > >>> Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) > >>> Help/Unsubscribe/Update your Subscription: > >>> http://lists.apple.com/mailman/options/webobjects-dev/george%40boxofficetickets.com > >>> > >>> This email sent to geo...@boxofficetickets.com > >> > > > > _______________________________________________ > > Do not post admin requests to the list. They will be ignored. > > Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) > > Help/Unsubscribe/Update your Subscription: > > http://lists.apple.com/mailman/options/webobjects-dev/mschrag%40pobox.com > > > > This email sent to msch...@pobox.com > > _______________________________________________ > Do not post admin requests to the list. They will be ignored. > Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) > Help/Unsubscribe/Update your Subscription: > http://lists.apple.com/mailman/options/webobjects-dev/simon%40potwells.co.uk > > This email sent to si...@potwells.co.uk >
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
