portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Santiago Gala <sg...@apache.org>
Subject Cross Site Scripting Vulnerability [was: Filter URLs]
Date Fri, 02 Mar 2007 08:31:17 GMT
El mar, 27-02-2007 a las 15:23 +0100, Eric Nolte escribió:
> Hi,
> 
> it seams that Jetspeed in it's default configuration is vulnerable to
> cross site scriptings like this:
> http://localhost:8080/jetspeed/portal/pages/default-page.psml/%22%3e%3cscript%3ealert(%27XSS%20test%27)%3c/script%3e
> 
> My question is how can i prevent this?
> One possibility is to write a valve and filter the URL. Depending on
> the pattern of the URL I can reject the request.
> 
> Do you have a better idea how to solve this or is there already a
> common way for doing this?
> 

Could you please report it as a JIRA issue? IMO this is a blocker if it
is still present in 2.1rc*

Regards
Santiago

> Thanks in advance.
> 
> Regards,
>  Eric
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message