[Building Sakai] Question on XSS URL cleaning
Kirschner, Beth
bkirschn at umich.edu
Tue Feb 4 11:13:57 PST 2014
In SAK-23859, we added code to remove one possible XSS attack, but truncating URLs with the following characters: \"'<>&
Unfortunately this also broke the OSP matrix download feature (SAK-25500), which generates URLs which look like this:
/tool/f6af4350-9b92-4c82-9db6-b298bcea9570/repository/1=1&1=1&manager=matrixManager&scaffoldingId=F16CB84C6AC085CB7FA3C4608FA937C8/test-1.zip
Does anyone know why the ampersand ('&') character is considered naughty? Is the concern that it could be used to encode and hide other naughty characters? If that's the case, I can change the code to clean out encoded characters (e.g. "&nn;"), but leave singleton ampersands alone.
Thoughts?
- Beth
More information about the sakai-dev
mailing list