#358 redirect.html is not secure, vulnerable to xss

devel (cvs)
open
nobody
None
5
2013-05-09
2013-05-09
John Dennis
No

Mozilla does not want epydoc produced documentation on any of their web sites because they believe redirect.html is insecure and vulnerable to xss, see this bug report:

https://bugzilla.mozilla.org/show_bug.cgi?id=830081

Comment #7 elucidates the fundamental issue, the dottedName variable is not escaped prior to being inserted into page content. Suggestions for fixing this include escaping the dottedName variable and/or providing an option to turn off the generation of the redirect.html file. FWIW it's not clear to me how useful the redirect feature is in the first place.

Discussion


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks