[Tickets #8715] Re: XSS vulnerability
bugs at horde.org
bugs at horde.org
Thu Nov 26 00:24:07 UTC 2009
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/8715
------------------------------------------------------------------------------
Ticket | 8715
Updated By | Michael Slusarz <slusarz at horde.org>
Summary | XSS vulnerability
Queue | IMP
Version | FRAMEWORK_3
Type | Bug
State | Feedback
Priority | 3. High
Milestone | 4.3.6
Patch |
Owners | Horde Developers
------------------------------------------------------------------------------
Michael Slusarz <slusarz at horde.org> (2009-11-25 19:24) wrote:
> I don't have a better suggestion for you, so I just leave the
> comment that blacklisting can be dangerous.
Of course attempting to blacklist HTML attributes/elements to fix all
security issues is dangerous. That is why we disable HTML inline
viewing by default. But a large portion of users want/need this
inline display and are willing to view these parts even with the
understanding that the filtering may not be 100% accurate.
That being said, thanks for your examples. It is clear that we need
to filter *any* data information contained in the href parameter.
I'm going to go ahead and add this to git and CVS FW_3. Will leave
this ticket open for a few days for additional feedback.
More information about the bugs
mailing list