SECURITY: remove "volunteerNicknames" from profile.jsp

brian-skinner / translation-workflow

Automatically exported from code.google.com/p/translation-workflow

Apache License 2.0

0 stars 0 forks source link

SECURITY: remove "volunteerNicknames" from profile.jsp #27

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago

The current profile.jsp file hard-codes the list of volunteerNicknames into a 
JSON literal to use for client-side validation.  We should replace that with 
server-side validation (via AJAX, or via some "check availability" button), to 
reduce exposure to potential security problems.

Original issue reported on code.google.com by bskin...@google.com on 19 May 2011 at 8:48

GoogleCodeExporter commented 9 years ago

Original comment by bskin...@google.com on 20 Jun 2011 at 5:45

Changed title: security: remove "volunteerNicknames" from profile.jsp
Added labels: Priority-P0
Removed labels: Priority-TBD, Milestone-0.1-Dogfood

GoogleCodeExporter commented 9 years ago

Original comment by bskin...@google.com on 20 Jun 2011 at 5:46

Changed title: SECURITY: remove "volunteerNicknames" from profile.jsp

GoogleCodeExporter commented 9 years ago

Original comment by bskin...@google.com on 20 Jun 2011 at 7:43

Added labels: Work-Days

GoogleCodeExporter commented 9 years ago

Decided to leave this as is for now.  We are embedding the user-entered 
nickname strings within the JavaScript on this page, which is safe so long as 
we are sure we restrict what characters can be in the nickname, which we do in 
the ProfileServlet, using the TextValidator.

Original comment by bskin...@google.com on 27 Jun 2011 at 8:35

Added labels: Priority-TBD
Removed labels: Priority-P0