You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by "Kevin Brown (JIRA)" <ji...@apache.org> on 2008/02/22 03:42:19 UTC
[jira] Created: (SHINDIG-89) Prefs / view parameter escaping
Prefs / view parameter escaping
-------------------------------
Key: SHINDIG-89
URL: https://issues.apache.org/jira/browse/SHINDIG-89
Project: Shindig
Issue Type: Improvement
Components: Features
Reporter: Kevin Brown
Assignee: Kevin Brown
Currently, we do not escape gadgets.Prefs or gadgets.views parameters.
This could potentially result in exploits of data by malicious outside sites.
To remedy this, I propose the attached patch.
As it stands, the spec is silent on the escaping issue, but in practice gmodules.com already does this escaping for user prefs and I suspect that other container sites do as well.
I've also included an unescaping mechanism that I think should ultimately be proposed to the spec discussion group, but that's a later issue.
Feedback is much appreciated. If no one objects, I'll commit this change tomorrow morning.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-89) Prefs / view parameter escaping
Posted by "Kevin Brown (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-89?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kevin Brown updated SHINDIG-89:
-------------------------------
Attachment: escaping-patch.patch
Note that it does on the fly escaping in the client -- this is because not all data hits the server.
> Prefs / view parameter escaping
> -------------------------------
>
> Key: SHINDIG-89
> URL: https://issues.apache.org/jira/browse/SHINDIG-89
> Project: Shindig
> Issue Type: Improvement
> Components: Features
> Reporter: Kevin Brown
> Assignee: Kevin Brown
> Attachments: escaping-patch.patch
>
>
> Currently, we do not escape gadgets.Prefs or gadgets.views parameters.
> This could potentially result in exploits of data by malicious outside sites.
> To remedy this, I propose the attached patch.
> As it stands, the spec is silent on the escaping issue, but in practice gmodules.com already does this escaping for user prefs and I suspect that other container sites do as well.
> I've also included an unescaping mechanism that I think should ultimately be proposed to the spec discussion group, but that's a later issue.
> Feedback is much appreciated. If no one objects, I'll commit this change tomorrow morning.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (SHINDIG-89) Prefs / view parameter escaping
Posted by "Kevin Brown (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-89?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kevin Brown closed SHINDIG-89.
------------------------------
Resolution: Fixed
rev630172
> Prefs / view parameter escaping
> -------------------------------
>
> Key: SHINDIG-89
> URL: https://issues.apache.org/jira/browse/SHINDIG-89
> Project: Shindig
> Issue Type: Improvement
> Components: Features
> Reporter: Kevin Brown
> Assignee: Kevin Brown
> Attachments: escaping-patch.patch
>
>
> Currently, we do not escape gadgets.Prefs or gadgets.views parameters.
> This could potentially result in exploits of data by malicious outside sites.
> To remedy this, I propose the attached patch.
> As it stands, the spec is silent on the escaping issue, but in practice gmodules.com already does this escaping for user prefs and I suspect that other container sites do as well.
> I've also included an unescaping mechanism that I think should ultimately be proposed to the spec discussion group, but that's a later issue.
> Feedback is much appreciated. If no one objects, I'll commit this change tomorrow morning.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.