You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@myfaces.apache.org by Aleksei Valikov <va...@gmx.net> on 2005/07/18 22:11:38 UTC

JSCookMenu unsecure?

Hi.

If a menu item in JSCookMenu component is assigned a custom action (via 
the action attribute), it gets rendered on the client side in its 
textual form, for instance:

...
['<img src="images/save.bmp"/>', 'Save', 
'_id0:#{nokisEditorContainer.save}', '#', null]
...

This essentially gives clients the possibility to execute on the server 
side whatever method bindings they wish. Seems like a security problem 
or did I miss something?

Bye.
/lexi

Re: JSCookMenu unsecure?

Posted by Sean Schofield <se...@gmail.com>.

Yes JIRA is down :-(

FYI:  The infrastructure team has provided this link to the projects
to help identify what outages are taking place and whether they are
scheduled or not.

http://monitoring.apache.org/status/


On 7/18/05, Aleksei Valikov <va...@gmx.net> wrote:
> Hi.
> 
> > There's a bug in the JIRA similar to this.  I'd post the link but the
> > JIRA is not available right now, at least not from the links on myFaces
> > or Axis.  When it's up, search on 'iantian' for the reporter.
> 
> Ok, fine, thank. At least, I'm not paranoid.
> 
> Bye.
> /lexi
> 
>

Re: JSCookMenu unsecure?

Posted by Aleksei Valikov <va...@gmx.net>.

Hi.

> There's a bug in the JIRA similar to this.  I'd post the link but the 
> JIRA is not available right now, at least not from the links on myFaces 
> or Axis.  When it's up, search on 'iantian' for the reporter.

Ok, fine, thank. At least, I'm not paranoid.

Bye.
/lexi

Re: JSCookMenu unsecure?

Posted by De...@ak.blm.gov.

There's a bug in the JIRA similar to this.  I'd post the link but the JIRA 
is not available right now, at least not from the links on myFaces or 
Axis.  When it's up, search on 'iantian' for the reporter.