From: Simon M. (JIRA) <jir...@ob...> - 2010-08-28 21:27:27
|
[PATCH] prevents a potential cross-site-scripting hack by passing javascript in as the wosid -------------------------------------------------------------------------------------------- Key: WONDER-578 URL: http://issues.objectstyle.org/jira/browse/WONDER-578 Project: Project Wonder Issue Type: Bug Reporter: Simon McLean Attachments: ERXRequest.java.patch a recent penetration test performed by an external company highlighted the ability to perform a cross-site-scripting hack on a webobjects app by passing in javascript as the wosid. i can provide an example that demonstrates the issue if required (although i will need to do this offline). the attached patch overrides formValues in ERXRequest to check the value of the wosid being passed in. If it contains illegal characters it is stripped from the dictionary. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.objectstyle.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira |