Mailinglist Archive: yast-devel (59 mails)

< Previous Next >
Re: [yast-devel] WebYaST status 15-Mar-2010
  • From: Ladislav Slezak <lslezak@xxxxxxx>
  • Date: Mon, 15 Mar 2010 19:29:39 +0100
  • Message-id: <4B9E7C93.6030905@xxxxxxx>
Dne 15.3.2010 11:02, Klaus Kaempf napsal(a):
ALL: Break your colleagues module, enter random data into input
fields, click around like crazy, etc.

One more test case:

Try entering HTML tags into text fields, check whether the input is properly
escaped when printed, or enter a JavaScript input like

<script type="text/javascript">alert("XSS attack!")</script>

If a popup is displayed after loading the page than there is
a serious XSS vulnerability!

(Solution: use h() helper in views for escaping all user entered values
or values read from a potentially unsafe source (which is almost everything),

I just have reported bnc#588443 (users module), but I'm pretty sure
that there are more places...


Best Regards

Ladislav Slez√°k
Yast Developer
SUSE LINUX, s.r.o. e-mail: lslezak@xxxxxxx
Lihovarsk√° 1060/12 tel: +420 284 028 960
190 00 Prague 9 fax: +420 284 028 951
Czech Republic
To unsubscribe, e-mail: yast-devel+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: yast-devel+help@xxxxxxxxxxxx

< Previous Next >