javascript injection in the filters

jeffjohnston / jmesa

Automatically exported from code.google.com/p/jmesa

0 stars 0 forks source link

javascript injection in the filters #57

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago

Potential security bug in that you can easily do javascript injection in
the filters.

For example you can input something like this :

'); alert('hello world');//

Original issue reported on code.google.com by extremec...@gmail.com on 14 Nov 2007 at 1:57

GoogleCodeExporter commented 8 years ago

I wonder if I could do something like set the filter value by wrapping it in a 
JSON
object or Array. That way the JavaScript should not execute.

Original comment by extremec...@gmail.com on 15 Nov 2007 at 2:56

GoogleCodeExporter commented 8 years ago

Original comment by extremec...@gmail.com on 11 Mar 2008 at 4:06

Added labels: Priority-High
Removed labels: Priority-Medium

GoogleCodeExporter commented 8 years ago

Original comment by extremec...@gmail.com on 11 Mar 2008 at 4:06

Added labels: Type-Enhancement
Removed labels: Type-Defect

GoogleCodeExporter commented 8 years ago

Came to of a pretty good side effect of this encoding stuff. Try saving
<script>alert('whoops!');</script> in the worksheet example.

Original comment by jeff.johnston.mn@gmail.com on 23 Oct 2008 at 1:35

GoogleCodeExporter commented 8 years ago

<script>alert('whoops!');</script>

Original comment by vr.suka...@gmail.com on 22 Mar 2010 at 9:36

GoogleCodeExporter commented 8 years ago

There should be a way to validate the input of the filters. Just output 
encoding is not enough.

Original comment by harald.walker on 3 Oct 2013 at 8:54

GoogleCodeExporter commented 8 years ago

As a solution I've added a validate method in a custom FilterMatcher and 
extended SimpleRowFilter to validate the filter value against this 
FilterMatcher first before iterating through the items collection.

Original comment by harald.walker on 3 Oct 2013 at 4:11