| Issue 57: | javascript injection in the filters | |
| 3 people starred this issue and may be notified of changes. | Back to list |
Potential security bug in that you can easily do javascript injection in
the filters.
For example you can input something like this :
'); alert('hello world');//
Nov 14, 2007
#1
extremec...@gmail.com
Mar 10, 2008
(No comment was entered for this change.)
Labels:
-Priority-Medium Priority-High
Mar 10, 2008
(No comment was entered for this change.)
Labels:
-Type-Defect Type-Enhancement
Oct 22, 2008
Came to of a pretty good side effect of this encoding stuff. Try saving
<script>alert('whoops!');</script> in the worksheet example.
Owner:
jeff.johnston.mn
Mar 22, 2010
<script>alert('whoops!');</script>
Oct 3, 2013
There should be a way to validate the input of the filters. Just output encoding is not enough.
Oct 3, 2013
As a solution I've added a validate method in a custom FilterMatcher and extended SimpleRowFilter to validate the filter value against this FilterMatcher first before iterating through the items collection. |