[opencms-dev] cross site scripting handling in OpenCms
Rainer Vehns
vehns at codecentric.de
Sun May 29 21:06:45 CEST 2005
Hello all,
there is a common security issue called "cross site scripting" (XSS) and we
have recognized, that our implementation with OpenCms does not take care
about this. For example if I enter the URL
"http://test.domain.de/opencms/opencms/
<http://test.domain.de/opencms/opencms/%3cscript%3ealert(%22here>
<script>alert("here we are");</script>" the browser interprets the appended
JavaScript. There are articles about this security hole, but more important:
our customer wants us to fix that.
Does someone have a working (generic) solution, or is this issue addressed
in future versions? We are currently using version 6 beta 2.
I would contribute a solution, but before I want to get sure, that I don't
do something, which already exists.
Kind regards,
Rainer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20050529/b32fd57e/attachment.htm>
More information about the opencms-dev
mailing list