[Seaside-dev] Issue 85 in seaside: Cross-Site Scripting issues in
Seaside
codesite-noreply at google.com
codesite-noreply at google.com
Sat Jun 28 13:45:55 UTC 2008
Issue 85: Cross-Site Scripting issues in Seaside
http://code.google.com/p/seaside/issues/detail?id=85
New issue report by martin.holst:
What steps will reproduce the problem?
1. Generating a 404 from a seaside-site that have not implemented custom
404 handling.
2. The 404-page does not employ proper HTML encoding when reflecting user
input back in page.
Example is :
http://seaside.st/ohcmon%3Cscript%3Ealert(%27xss%27)%3C/script%3E
What is the expected output? What do you see instead?
Expected : the text
Error: "/seaside/ohcmon<script>alert('xss')</script>" not found.
Actual :
Text : Error: "/seaside/ohcmon" not found.
and javascript gets executed
What version of the product are you using? On what operating system?
This seems to be in all (?) versions of seaside, and potentially has very
large impact on all sites running on seaside.
Please provide any additional information below.
Information on XSS :
http://www.owasp.org/index.php/Cross_Site_Scripting
Issue attributes:
Status: New
Owner: ----
Labels: Type-Defect Priority-Medium
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
More information about the seaside-dev
mailing list