AW: [opencms-dev] cross site scripting handling in OpenCms
Rainer Vehns
vehns at codecentric.de
Sun May 29 21:29:30 CEST 2005
Hello again,
after further investigation I think that his security issue should be
handled by the webserver or servlet engine, e.g. Apache with mod_security.
It doesn't make sense that OpenCms handles that, because if you use the
static export feature, OpenCms has no control about serving the URLs.
So ignore my last mail, but perhaps someone is in the same situation,
Rainer
_____
Von: opencms-dev-bounces at opencms.org
[mailto:opencms-dev-bounces at opencms.org] Im Auftrag von Rainer Vehns
Gesendet: Sonntag, 29. Mai 2005 21:07
An: opencms-dev at opencms.org
Betreff: [opencms-dev] cross site scripting handling in OpenCms
Hello all,
there is a common security issue called "cross site scripting" (XSS) and we
have recognized, that our implementation with OpenCms does not take care
about this. For example if I enter the URL
"http://test.domain.de/opencms/opencms/
<http://test.domain.de/opencms/opencms/%3cscript%3ealert(%22here>
<script>alert("here we are");</script>" the browser interprets the appended
JavaScript. There are articles about this security hole, but more important:
our customer wants us to fix that.
Does someone have a working (generic) solution, or is this issue addressed
in future versions? We are currently using version 6 beta 2.
I would contribute a solution, but before I want to get sure, that I don't
do something, which already exists.
Kind regards,
Rainer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20050529/a2a70700/attachment.htm>
More information about the opencms-dev
mailing list