What steps will reproduce the problem?
1. Go to http://tools.gbif.org/dwca-validator/
2. Populate the field for "Validate full online archive" with:
http://data.canadensys.net/ipt/resource.do?r=vascan
3. This is the URL of the resource page instead of the archive. Something I did
by mistake.
What is the expected output? What do you see instead?
I expect a normal error page, saying the file could not be read.
Instead, the file is read anyway, with an odd bleeding effect:
1. Favicon has changed for Canadensys
2. CSS is applied where it can be targeted: links, font, etc.
3. HTML is injected: the Feedback button on the right, the whole page as a
table in the "Scan records" section, etc.
If you try the same trick with e.g. "http://www.google.com" the effect is less
dramatic, but those page return a "validation successful".
What version of the product are you using? On what operating system?
http://tools.gbif.org/dwca-validator/ Version 3.0-SNAPSHOT
Mac OS X. Chrome.
Please provide any additional information below.
I would sanitize some input and show an error page if a link was made to a
non-DwC-A (e.g. any non-zip file). The potential security issue by injecting
javascript is probably minimal, but it's still an issue.
Original issue reported on code.google.com by peter.de...@gmail.com on 27 Mar 2012 at 6:11
Original issue reported on code.google.com by
peter.de...@gmail.com
on 27 Mar 2012 at 6:11