Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
URL input is written into web page. #602
I am developing the use of Jbrowse in GrainGenes and T thinking about how to dynamically generate some of JSON files for serving Jbrowse. I wanted to test that it was possible to insert a ? into the requested URL.
I think this is an example of a "non persistent" XSS, which is not the super bad kind of XSS, but should still be fixed. The super bad ("persistent") case is where it stays on the page even if they don't click a specially crafted link.
A similar thing was noted here #570 but this makes it more obvious.
@GrainGenes , InterMine has developed functionality to serve out JBrowse compatible configs + data from the warehouse, in accordance with the JBrowse REST specifications.
An example, view all FlyMine data in JBrowse: http://jbrowse.org/code/JBrowse-1.12.0/?data=http://www.flymine.org/query/service/jbrowse/config/7227
Is this the sort of capability you are thinking about implementing?
Even if the URL developed by you, that is capable of serving JBrowse compatible data had "?" in it, with some clever Apache mod_rewrite functionality, you could normalize (or clean) out the URLs and have them be REST-like.
Does that sound reasonable, or am I way off base in interpreting your issue?
@vivekkrish I think the issue is the XSS
The cross domain data thing like FlyMine is awesome but it is also technically a touchy issue too