Mailinglist Archive: yast-devel (59 mails)

< Previous Next >
Re: [yast-devel] WebYaST status 15-Mar-2010
  • From: Ladislav Slezak <lslezak@xxxxxxx>
  • Date: Mon, 15 Mar 2010 19:29:39 +0100
  • Message-id: <4B9E7C93.6030905@xxxxxxx>
Dne 15.3.2010 11:02, Klaus Kaempf napsal(a):
[...]
ALL: Break your colleagues module, enter random data into input
fields, click around like crazy, etc.

One more test case:

Try entering HTML tags into text fields, check whether the input is properly
escaped when printed, or enter a JavaScript input like

<script type="text/javascript">alert("XSS attack!")</script>

If a popup is displayed after loading the page than there is
a serious XSS vulnerability!

(Solution: use h() helper in views for escaping all user entered values
or values read from a potentially unsafe source (which is almost everything),
see http://api.rubyonrails.org/classes/ERB/Util.html#M000315)

I just have reported bnc#588443 (users module), but I'm pretty sure
that there are more places...


--

Best Regards

Ladislav Slezák
Yast Developer
------------------------------------------------------------------------
SUSE LINUX, s.r.o. e-mail: lslezak@xxxxxxx
Lihovarská 1060/12 tel: +420 284 028 960
190 00 Prague 9 fax: +420 284 028 951
Czech Republic http://www.suse.cz/
--
To unsubscribe, e-mail: yast-devel+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: yast-devel+help@xxxxxxxxxxxx

< Previous Next >
References