No HTML escape within attributes (XSS issue)

Oliver Scheel Tue, 28 Feb 2012 03:19:43 -0800

It seems that most attributes in components are not escaped properly toavoid XSS (even with Wonder latest). Sample:


XSSImage : WOImage {
    src = "someImage.gif";
    alt = "\"><script>alert('Hi')</script>";
}

Problem is, when that content come from a database and nothing preventsthis kind of input.


The question is: Is this a bug or (because of any reason) a feature?

Oliver

<<attachment: os.vcf>>

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

No HTML escape within attributes (XSS issue)

Reply via email to