Re: [Stripes-users] A potential XSS vulnerability in Stripes?

Thu, 03 Jul 2008 06:32:28 -0700 

Hey Alan,

I'm not sure this is a bug.  I'm not saying it isn't, I'm just not  
sure it is either.  You are supplying recordName to the message  
right?  If we escaped all the parameters to a message then you would  
never be able to supply an HTML character in a message.  If you  
wanted to write (god knows why, but whatever):
        new SimpleMessage("Error: {0}", "You sir are a <bold>moron</bold>")
you wouldn't be able to.

The only things that the validation errors encode by default (I  
believe) are the user input which isn't supplied by the progammer,  
but directly by the user.

We could, to make life easier, provide an optional method or  
something to switch on encoding, but I don't think we'd want to do it  
all the time.  Thoughts?

-t

On Jul 3, 2008, at 8:43 AM, Alan Burlison wrote:

> Should I log this as a bug?
>
>> I have some code like this:
>>
>> ctx.getMessages().add(new SimpleMessage(
>>    "Record ''{0}'' deleted", recordName));
>>
>> If recordName contains HTML characters they are output unescaped  
>> by the
>> <stripes:messages> tag.  This contrasts with field validation errors,
>> which are correctly escaped.  Shouldn't all the error handling and
>> messaging stuff work the same way, and escape HTML characters?
>
> -- 
> Alan Burlison
> --
>
> ---------------------------------------------------------------------- 
> ---
> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
> Studies have shown that voting for your favorite open source project,
> along with a healthy diet, reduces your potential for chronic lameness
> and boredom. Vote Now at http://www.sourceforge.net/community/cca08
> _______________________________________________
> Stripes-users mailing list
> Stripes-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/stripes-users


-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users

Reply via email to