[SHINDIG-89] Prefs / view parameter escaping - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: None
Component/s: Javascript
Labels:
None

Description

Currently, we do not escape gadgets.Prefs or gadgets.views parameters.

This could potentially result in exploits of data by malicious outside sites.

To remedy this, I propose the attached patch.

As it stands, the spec is silent on the escaping issue, but in practice gmodules.com already does this escaping for user prefs and I suspect that other container sites do as well.

I've also included an unescaping mechanism that I think should ultimately be proposed to the spec discussion group, but that's a later issue.

Feedback is much appreciated. If no one objects, I'll commit this change tomorrow morning.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

escaping-patch.patch
22/Feb/08 02:48
5 kB
Kevin Brown

Activity

People

Assignee:: Kevin Brown

Reporter:: Kevin Brown

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Due:: 22/Feb/08

Created:: 22/Feb/08 02:41

Updated:: 28/Apr/14 11:45

Resolved:: 22/Feb/08 12:28