Java Mailing List Archive

http://www.junlu.com/

Home » Home (12/2007) » Struts 2 »

[OT] XSS ( was Cross site scripting issue )

Joseph McGranaghan

2007-03-16



Hey guys, I'm gonna start this as an [OT] as a courtesy.

Found a scenario where filtering the output won't do, I think.

I'm doing an all ajax webapp.
I send an internal mail message to a users inbox,
the same as a user-to-user would.

Embedded in the message is this:

<div style="margin: 0px auto;">
  <a onclick="sayYes('203895');">YES</a>
  <a onclick="sayNo('203895');">NO</a>
</div>

The javascript functions do ajax stuff ( I use dojo.io, mostly ).

The same code in my system sends this and sends a user's mail message.

The difference:

  1) when a user submits a message via a rich text wysiwyg,
      my XSS filter would clean this type of stuff out.

  2) when my server code sends this stuff, it goes without a hitch



-Joe




---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@(protected)
For additional commands, e-mail: user-help@(protected)

©2008 junlu.com - Jax Systems, LLC, U.S.A.