[OSM-dev] XSS Vulnerabilities
SteveC
steve at asklater.com
Tue Jan 15 08:57:11 GMT 2008
On 15 Jan 2008, at 00:17, Tom Hughes wrote:
> In message <20080115000820.GA11303 at lochewe.mathy.remote.org>
> Frederik Ramm <frederik at remote.org> wrote:
>
>> Fixing the particular problem is probably a one-liner for our ruby
>> heroes but as you said in your initial E-Mail, the problem may be
>> widespread and should be investigated thoroughly. Maybe I can even
>> create an username that contains HTML and this gets then displayed in
>> other people's "users near you" lists and so on. Maybe I can enter
>> place names into OSM that have HTML in them, and they get displayed
>> with the name finder results?
>
> It's anything but trivial to fix (without loosing functionality) which
> is why it hasn't been done before.
>
> If whoever originally wrote the code had thought about these things
> then it would have been easy, but dealing with the legacy data that we
> now have makes it hard.
when you print the content cant you just escape html brackets?
<%= blah.content.gsub('<', '<') %>
in fact isnt there a rails function to do it?
>
>
> Tom
>
> --
> Tom Hughes (tom at compton.nu)
> http://www.compton.nu/
>
> _______________________________________________
> dev mailing list
> dev at openstreetmap.org
> http://lists.openstreetmap.org/cgi-bin/mailman/listinfo/dev
>
have fun,
SteveC | steve at asklater.com | http://www.asklater.com/steve/
More information about the dev
mailing list