[yast-devel] WebYaST status 15-Mar-2010
jsrain, schubi, mvidner, kkaempf, tgoettlicher, jdsn, jsuchome, vgorobets, jreidinger, mkudlvasr missing: lslezak, mzugec Goals for the week: - SLES11 SP1 RC1 release - Brainshare preparation (== Robustness + Stability) ALL: Break your colleagues module, enter random data into input fields, click around like crazy, etc. Detailed status: jsrain: - testing - next: help with SP1 release schubi: - testing - updated SP1 translations - next: Brainshare prep mvidner: - patches for WebYaST 1.0 - next: release mgmt for RC1 tgoettlicher: - SLMS + WebYaST - next: continue on SLMS jdsn: - SLMS + WebYaST - next: continue on SLMS jsuchome: - testing - mail setup testing, needs help - next: services bugfixes vgorobets: - bug fixing, catching exceptions - next: help jsuchome with mail testing jreidinger: - testing and bugfixing - next: details helper for flash message mkudlvasr: - testing and bugfixing - <legend> discussion - next: more firewall kkaempf: - finalize story for Brainshare - booked documentation time - next: demo setup for Brainshare --- SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org
Dne 15.3.2010 11:02, Klaus Kaempf napsal(a): [...]
ALL: Break your colleagues module, enter random data into input fields, click around like crazy, etc.
One more test case: Try entering HTML tags into text fields, check whether the input is properly escaped when printed, or enter a JavaScript input like <script type="text/javascript">alert("XSS attack!")</script> If a popup is displayed after loading the page than there is a serious XSS vulnerability! (Solution: use h() helper in views for escaping all user entered values or values read from a potentially unsafe source (which is almost everything), see http://api.rubyonrails.org/classes/ERB/Util.html#M000315) I just have reported bnc#588443 (users module), but I'm pretty sure that there are more places... -- Best Regards Ladislav Slezák Yast Developer ------------------------------------------------------------------------ SUSE LINUX, s.r.o. e-mail: lslezak@suse.cz Lihovarská 1060/12 tel: +420 284 028 960 190 00 Prague 9 fax: +420 284 028 951 Czech Republic http://www.suse.cz/ -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org
On Monday 15 March 2010 19:29:39 Ladislav Slezak wrote:
(Solution: use h() helper in views for escaping all user entered values or values read from a potentially unsafe source (which is almost everything), see http://api.rubyonrails.org/classes/ERB/Util.html#M000315)
You could also use the RailsXss plugin, which escapes all unsafe strings by
default. This will also be the default behavior in Rails 3. As it errs on the
side of safeness I think it's the favorable approach compared to manually
escaping.
--
Cornelius Schumacher
participants (3)
-
Cornelius Schumacher
-
Klaus Kaempf
-
Ladislav Slezak