Fix XSS issues

[GoogleCodeExporter]

There are two known cross site scripting issues that have been reported
already in 2005:

1. http://moritz-naumann.com/adv/0004/antvxss/0004.txt
2. http://blogs.23.nu/0test/stories/8443/

The first one is easily resolved by adding the encoding parameter set to
"all" to the <% request.path %> macro. I already patched the code at
antville.org manually; still needs to be committed to the repository, though.

The second one could be solved by removing any <script> tag from stories
and/or comments. Maybe I'll find some better, less radical solution, though.

Original issue reported on code.google.com by interf...@p3k.org on 27 May 2007 at 9:50

[GoogleCodeExporter]

Original comment by interf...@p3k.org on 2 Jun 2007 at 4:17

• Added labels: Milestone-Release-1.2

[GoogleCodeExporter]

I think the twoday guys have fixed this issue in their branch.

Original comment by samuel....@gmail.com on 17 Jun 2007 at 1:28

[GoogleCodeExporter]

With a recent commit the first issue has been fixed:
http://antville.googlecode.com/svn/trunk/code/Root/notfound.skin

Original comment by interf...@p3k.org on 16 Aug 2007 at 3:27

[GoogleCodeExporter]

Just as a sidenote: with Helma 1.6.2 bringing HTTPONLY session cookies [1] many 
XSS
issues involving transmission of login data to third-party sites should be made
impossible.

--
[1] http://helma.org/bugs/show_bug.cgi?id=644

Original comment by interf...@p3k.org on 11 Dec 2008 at 8:12

[GoogleCodeExporter]

As the page the second link of the issue description is referring to 
unfortunately disappeared I am closing this 
bug. Issue #64 looks like handling that part, anyway. 

Original comment by interf...@p3k.org on 23 Apr 2010 at 8:20

• Changed state: Fixed

[GoogleCodeExporter]

See also issue #118.

Original comment by interf...@p3k.org on 17 Jun 2010 at 6:11

• Changed state: Verified

[GoogleCodeExporter]

Original comment by m...@tobischaefer.com on 7 Mar 2015 at 5:59