Open rwmtse opened 12 years ago
When sending a request to an address it seems the address is evaluated by webkit before the request goes through our request & whitelist logic.
http://rim.com'
, http://rim.com%
, http://rim.com&
and a few other combinations including possible XSS attacks such as http://rim.com');console.log('btw I can remotely execute code in your app');//
will direct to a different page displaying an _Error: This webpage is unavailable. Check the URL and try again.');alert('asd');//
it also directs to a different page with Error This file could not be opened. Check that you have the correct permissions and try again.http://rim.com#
will result in a a request to http://rim.com/#
I haven't tested all possibilities but I just wanted to point out this separate issue that I have come across while investigating the current XSS issue.
I've tried a couple possible XSS attacks that I come up with but I have not been able to do so successfully mainly do to the above issue I am having where requests never make it to our framework logic.
Let's open another issue in that case
This is issue is blocked. Unable to test XSS properly due to issue #99.
See gtanner's comment in blackberry-webworks/BB10-WebWorks-Framework#18