[OSM-dev] Website Security
Joerg Ostertag
openstreetmap at ostertag.name
Wed Nov 7 21:57:29 GMT 2007
Am Freitag, 2. November 2007 01:47:09 schrieb Steve Coast:
> Hi
>
> Passing on to dev
The quick and easy minimum cure for this would be to disallow/remove the
characters <,>,UTF8(<),UTF8(>) from the input.
This would at least cure from the easy exploitability.
>
> On 1 Nov 2007, at 17:36, pagan.iKaRuS wrote:
> > Hi Steve.
> >
> > I do not know too much about this cross site scripting stuff. But I
> > think the
> > mySettings page on the openstreetmap.org page can be used for this.
> > Because
> > you can easly introduce javascript code to your own profile page
> > and read
> > cookie information. As I mentioned above, I am not a javascript guy
> > but I
> > just add this code to your site and click on the button. script
> > element needs
> > to be within one line to get around this <p> element which is
> > inserted to
> > every line.
> >
> > <SCRIPT LANGUAGE="JavaScript">function MsgBox (textstring) {
> > alert(textstring) }</SCRIPT>
> >
> > <FORM>
> > <INPUT NAME="submit" TYPE=Button VALUE="Show Cookie"
> > onClick="MsgBox(document.cookie)">
> > </FORM>
> >
> > Greets mardocz
>
> have fun,
>
> SteveC | steve at asklater.com | http://www.asklater.com/steve/
>
>
>
> _______________________________________________
> dev mailing list
> dev at openstreetmap.org
> http://lists.openstreetmap.org/cgi-bin/mailman/listinfo/dev
More information about the dev
mailing list