Diffusion invenio-infoscience afa9ca1e0ff1

Fixed the most obvious XSS vulnerability issues in WebBasket. Beware, in the…
afa9ca1e0ff1
Actions

Authored by Tibor Simko <tibor.simko@cern.ch> on Oct 23 2006, 12:29.

Description

Fixed the most obvious XSS vulnerability issues in WebBasket. Beware, in the message display, the "final_body" now gets fully escaped, which results in an impossibility to format messages in HTML. For a less-severe approach, only known vulnerable tags (such as PLAINTEXT, SCRIPT, etc) could be removed; or, even better, only pre-defined whitelisted tags (such as STRONG, EM, P, BR) could be allowed. Currently no HTML is interpreted at all.

Details

Committed

Tibor Simko <tibor.simko@cern.ch>

Oct 23 2006, 12:29

Parents

R3600:7b0a076e25c2: Fixed XSS vulnerability in the warning box about non-existent users or groups.

Branches

Unknown

Tags

Unknown

Event Timeline

Tibor Simko <tibor.simko@cern.ch> committed R3600:afa9ca1e0ff1: Fixed the most obvious XSS vulnerability issues in WebBasket. Beware, in the… (authored by Tibor Simko <tibor.simko@cern.ch>).Oct 23 2006, 12:29

Changes (1)

				Path
	M			modules/webmessage/lib/webmessage_templates.py

R3600:afa9ca1e0ff1

View Options

modules/webmessage/lib/webmessage_templates.py