You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@continuum.apache.org by Brett Porter <br...@apache.org> on 2011/04/13 09:14:17 UTC

Re: svn commit: r1091669 [1/2] - in /continuum/trunk/continuum-webapp/src/main/webapp/WEB-INF/jsp: ./ admin/ components/ navigations/

On 13/04/2011, at 4:36 PM, ctan@apache.org wrote:

> Author: ctan
> Date: Wed Apr 13 06:36:20 2011
> New Revision: 1091669
> 
> URL: http://svn.apache.org/viewvc?rev=1091669&view=rev
> Log:
> [CONTINUUM-2620] use c:out and fn:escapeXml to prevent XSS attacks

It's good to be cautious in this area, but most of the c:out's are overprotective (e.g. things that are generated by the app). I'd like to make sure we catch these things where they are invalid on the way in, rather than just on the page.

I'm not sure the fn:escapeXml is useful. On the redback tags, there's no XSS risk as it never gets onto the page. For the following, it might not be sufficient:

<a style="border: 1px solid #DFDEDE; padding-left: 1em; padding-right: 1em; text-decoration: none;" href="${fn:escapeXml(projectGroupMembersUrl)}"

What happens if the url contains this?

" onerror="javascript:alert('gotcha')

I think as long as those URLs are properly validated where they are created they should be fine without the fn.

- Brett

--
Brett Porter
brett@apache.org
http://brettporter.wordpress.com/

Re: svn commit: r1091669 [1/2] - in /continuum/trunk/continuum-webapp/src/main/webapp/WEB-INF/jsp: ./ admin/ components/ navigations/

Posted by Marica Tan <ma...@gmail.com>.

On Wed, Apr 13, 2011 at 3:14 PM, Brett Porter <br...@apache.org> wrote:

>
>
> On 13/04/2011, at 4:36 PM, ctan@apache.org wrote:
>
> > Author: ctan
> > Date: Wed Apr 13 06:36:20 2011
> > New Revision: 1091669
> >
> > URL: http://svn.apache.org/viewvc?rev=1091669&view=rev
> > Log:
> > [CONTINUUM-2620] use c:out and fn:escapeXml to prevent XSS attacks
>
> It's good to be cautious in this area, but most of the c:out's are
> overprotective (e.g. things that are generated by the app). I'd like to make
> sure we catch these things where they are invalid on the way in, rather than
> just on the page.
>
> Will still be adding/modifying validations in the action classes.


> I'm not sure the fn:escapeXml is useful. On the redback tags, there's no
> XSS risk as it never gets onto the page. For the following, it might not be
> sufficient:
>
> <a style="border: 1px solid #DFDEDE; padding-left: 1em; padding-right: 1em;
> text-decoration: none;" href="${fn:escapeXml(projectGroupMembersUrl)}"
>
> What happens if the url contains this?
>
> " onerror="javascript:alert('gotcha')
>
> I think as long as those URLs are properly validated where they are created
> they should be fine without the fn.
>
>
Ok noted.


Thanks,
--
Marica


> - Brett
>
> --
> Brett Porter
> brett@apache.org
> http://brettporter.wordpress.com/
>
>