Opened 15 years ago
Closed 15 years ago
#44 closed defect (fixed)
Check for and correct to ${X.encodeAsHtml()} where required.
| Reported by: | Gavin | Owned by: | |
|---|---|---|---|
| Priority: | critical | Milestone: | 0.5 - Functionality and Stability |
| Component: | gnuMims - application security | Version: | trunk |
| Keywords: | Cc: |
Description
Anywhere that user input is displayed in a page there is the opportunity for html (or worse javascript?) injection. Using ${X} directly renders the text so a user input of "<td>nice</td>" would change the layout of the page.
Find and correct all cases to ${X.encodeAsHtml()}.
Note: See
TracTickets for help on using
tickets.
The bulk of these have been corrected, don't seem to have been as many as I first thought. This is also now standard programming practice in gnuMims so closing this ticket and creating a reminder ticket #58 since the security issue is now negated.