[OSM-dev] XSS Vulnerabilities
Frederik Ramm
frederik at remote.org
Tue Jan 15 00:08:20 GMT 2008
Hi,
> I should have been a little more clear in my mail.
I wasn't trying to belittle the problem; I'm aware that if you can get
a <b> through you can do a lot more. On second thought, my posting was
perhaps not that useful because those with an understanding of
security will probably have known what a "XSS type 2 vulnerability" is
(I didn't), and those with no understanding won't know that a <b> can be
the beginning of the end.
Fixing the particular problem is probably a one-liner for our ruby
heroes but as you said in your initial E-Mail, the problem may be
widespread and should be investigated thoroughly. Maybe I can even
create an username that contains HTML and this gets then displayed in
other people's "users near you" lists and so on. Maybe I can enter
place names into OSM that have HTML in them, and they get displayed
with the name finder results?
(Check out woodpeck's new OSM diary here:
http://www.openstreetmap.org/user/woodpeck/diary
guaranteed harmless. har har.)
Bye
Frederik
--
Frederik Ramm ## eMail frederik at remote.org ## N49°00.09' E008°23.33'
More information about the dev
mailing list