New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

URL input is written into web page. #602

GrainGenes opened this Issue Jun 5, 2015 · 5 comments


None yet
4 participants

GrainGenes commented Jun 5, 2015

I am developing the use of Jbrowse in GrainGenes and T thinking about how to dynamically generate some of JSON files for serving Jbrowse. I wanted to test that it was possible to insert a ? into the requested URL. shows a link. This can be extended into XSS.
This loads an error page, since rather than requesting a json file, it requests a folder. Further, the error code does not filter htm tags and displays a link.



This comment has been minimized.


cmdcolin commented Jun 5, 2015

Good catch

I think this is an example of a "non persistent" XSS, which is not the super bad kind of XSS, but should still be fixed. The super bad ("persistent") case is where it stays on the page even if they don't click a specially crafted link.


A similar thing was noted here #570 but this makes it more obvious.


This comment has been minimized.


vivekkrish commented Feb 26, 2016

@GrainGenes , InterMine has developed functionality to serve out JBrowse compatible configs + data from the warehouse, in accordance with the JBrowse REST specifications.
See docs:

An example, view all FlyMine data in JBrowse:

Is this the sort of capability you are thinking about implementing?

Even if the URL developed by you, that is capable of serving JBrowse compatible data had "?" in it, with some clever Apache mod_rewrite functionality, you could normalize (or clean) out the URLs and have them be REST-like.

Does that sound reasonable, or am I way off base in interpreting your issue?


This comment has been minimized.


cmdcolin commented Feb 26, 2016

@vivekkrish I think the issue is the XSS

The cross domain data thing like FlyMine is awesome but it is also technically a touchy issue too

For example,


This comment has been minimized.


cmdcolin commented Feb 26, 2016

Maybe there's another thing that GrainGenes was also looking for in terms of functionality that I didn't see in this post (e.g the ? in url)?


This comment has been minimized.


rbuels commented Jan 30, 2018

Just need to html-entity encode error messages in the error page.

@rbuels rbuels modified the milestones: 1.12.4, 1.12.5 Feb 2, 2018

@rbuels rbuels closed this in a95f2b8 Feb 20, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment