Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[UP-3315] Fix some XSS issue around inputting usernames. The issue was ... #379

Merged
merged 3 commits into from
Feb 17, 2015
Merged

[UP-3315] Fix some XSS issue around inputting usernames. The issue was ... #379

merged 3 commits into from
Feb 17, 2015

Commits on Jul 9, 2014

  1. [up-3315] Fix some XSS issue around inputting usernames. The issue wa… 

    …s occurring because "</script>" always terminates the

JS block -- even if that's inside a string.  The JS interpreter would terminate the block and then misinterpret the unterminated
contents of the string as executable code.  The *right* solution for this is probably to start whitelisting the
input characters for every input field. Any field that will be part of a RESTful URL should not be allowed to contain the '/'
character.  The "solution" in this commit is intended as a stop-gap.  It solves this biggest issue -- the XSS vulnerability --
but it doesn't fully solve the issues caused by invalid chars in the input.  IMO, this is better than what we had, but
still not great.
(cherry picked from commit b034dec)
    @jhelmer-unicon
    jhelmer-unicon committed Jul 9, 2014
    Configuration menu
    Copy the full SHA
    7481538 View commit details
    Browse the repository at this point in the history

  2. [UP-3315] Fix some XSS issue around inputting usernames. The issue wa… 

    …s occurring because "</script>" always terminates the

JS block -- even if that's inside a string.  The JS interpreter would terminate the block and then misinterpret the unterminated
contents of the string as executable code.  The *right* solution for this is probably to start whitelisting the
input characters for every input field. Any field that will be part of a RESTful URL should not be allowed to contain the '/'
character.  The "solution" in this commit is intended as a stop-gap.  It solves this biggest issue -- the XSS vulnerability --
but it doesn't fully solve the issues caused by invalid chars in the input.  IMO, this is better than what we had, but
still not great.
(cherry picked from commit b034dec)
    @jhelmer-unicon
    jhelmer-unicon committed Jul 9, 2014
    Configuration menu
    Copy the full SHA
    711b826 View commit details
    Browse the repository at this point in the history

  3. Merge branch 'up-3315_patch' of https://github.com/jhelmer-unicon/uPo… 

    …rtal into up-3315_patch
    @jhelmer-unicon
    jhelmer-unicon committed Jul 9, 2014
    Configuration menu
    Copy the full SHA
    4ffce5a View commit details
    Browse the repository at this point in the history