History | Log In     View a printable version of the current page.  
   HOME       BROWSE PROJECT       FIND ISSUES       PLANNING BOARD       TASK BOARD   
    QUICK SEARCH:  
Issue Details (XML | Word | Printable)

Key: DOTCMS-1786
Type: Bug Bug
Status: Released Released
Resolution: Released
Priority: Major Major
Assignee: Testing User
Reporter: Jason Tesser
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
dotCMS

XSS

Created: August 06, 2008 9:06 PM   Updated: July 23, 2009 11:53 AM  Due: 8/12/08
Component/s: a. Unknown
Affects Version/s: None
Fix Version/s: 1.6.5

Time Tracking:
Original Estimate: 1 hour
Original Estimate - 1 hour
Remaining Estimate: 0 minutes
Time Spent - 2 hours, 5 minutes
Time Spent: 2 hours, 5 minutes
Time Spent - 2 hours, 5 minutes

Issue Links:
Cloners
 
Duplicate
 


 Description  « Hide
please test and fix the following

for example view in IE:

http://demo.dotcms.org/"><script>alert(097531);</script>/

We have a method in utilmethods to handle this. We can handle it at the top of the velocity servlet

 All   Comments   Work Log   Change History   Subversion Commits   FishEye      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Jason Tesser - August 13, 2008 9:48 AM
Use XSS.strip(url)

this will handle the xss strip for you.

Put the code in the CMSFilter.

In the XSS class add a method that returns a boolean URLHasXSS.

So in the fileter if hasXSS then strip and redirect.

[ Permlink | « Hide ]
Yalin Yesiltas - August 13, 2008 12:49 PM
Jason, I committed the code after changing Xss class, CMSFilter class and system.properties files


Powered by a free Atlassian JIRA open source license for dotCMS. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.12.3-#302) - Bug/feature request - Atlassian news - Contact Administrators