[OSM-dev] XSS Vulnerabilities
Tom Hughes
tom at compton.nu
Tue Jan 15 00:17:31 GMT 2008
In message <20080115000820.GA11303 at lochewe.mathy.remote.org>
Frederik Ramm <frederik at remote.org> wrote:
> Fixing the particular problem is probably a one-liner for our ruby
> heroes but as you said in your initial E-Mail, the problem may be
> widespread and should be investigated thoroughly. Maybe I can even
> create an username that contains HTML and this gets then displayed in
> other people's "users near you" lists and so on. Maybe I can enter
> place names into OSM that have HTML in them, and they get displayed
> with the name finder results?
It's anything but trivial to fix (without loosing functionality) which
is why it hasn't been done before.
If whoever originally wrote the code had thought about these things
then it would have been easy, but dealing with the legacy data that we
now have makes it hard.
Tom
--
Tom Hughes (tom at compton.nu)
http://www.compton.nu/
More information about the dev
mailing list