Hi Chuck,
I found the culprit.
If by any chance, you have an Ajax type which starts with a <script> and 
preceding the Ajax element, you have a malicious script, then that script would 
be executed.

The thing is to prevent it completely, but even scrubbing it may still get 
executed in Javascript, as the Javascript parser is active. So it is better not 
to have any script at all, and do it some other way.

thanks,

mai
On Aug 15, 2011, at 10:47 AM, Chuck Hill wrote:

> Hi Mai,
> 
> I am confused.  That HTML looks like it was added on the server.   Are you 
> using an Ajax component that is adding this to your page?
> 
> 
> Chuck
> 
> 
> On 2011-08-12, at 4:57 PM, Mai Nguyen wrote:
> 
>> Hello,
>> I am really baffled at how someone can insert a <A target> link into the 
>> following WebObjects page:
>> .....
>> <td> &amp;#x5b;Enter brief description of 
>> issue&amp;#x28;s&amp;#x29;&amp;#x5d;
>>                <br/>
>>                 <a href="javascript:void(0);" onClick="show_summary(this); 
>> return false;">Show Summary</a> 
>>                              
>> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
>>                              <A target="[Enter brief description of 
>> issue(s)]" 
>> onClick="window.open('/cgi-bin/WebObjects/MyTestApp.woa/1/wo/TTx5ltJlAYLbrboJWoAQyw/4.0.19.13.7.11.1.5.7.7.3.1.11','[Enter
>>  brief description of 
>> issue(s)]','toolbar=no,location=no,status=no,menubar=no,resizable=yes,scrollbars=yes,width=900,height=600');
>>  return false" 
>> href="/cgi-bin/WebObjects/MyTestApp.woa/1/wo/TTx5ltJlAYLbrboJWoAQyw/4.0.19.13.7.11.1.5.7.7.3.1.11">Show
>>  Details</A>
>>                </td>
>> ......
>> All input fields are verified and sanitized.
>> 
>> Could someone inject this <A> link from the above onClick="show_summary()" 
>> java script?
>> 
>> Many thanks for your advice,
>> 
>> -mai
> 
> 
> -- 
> Chuck Hill             Senior Consultant / VP Development
> 
> Practical WebObjects - for developers who want to increase their overall 
> knowledge of WebObjects or who are trying to solve specific problems.    
> http://www.global-village.net/products/practical_webobjects
> 
> 
> 
> 
> 
> 
> 

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      ([email protected])
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com

This email sent to [email protected]

Reply via email to