[Building Sakai] Question on XSS URL cleaning
Noah Botimer
botimer at umich.edu
Tue Feb 4 12:00:10 PST 2014
I think there are two separate issues here:
1. The download URL generation seems to have broken if the stuff after /repository does not have "?" before the query parameters. By my reckoning, adding it will fix the download.
2. Simply put, any input from the user emitted as (part of) a URL needs to be URL-encoded. If that's not happening somewhere, it's a bug. Anything more exotic or specialized is a probable bug.
Thanks,
-Noah
On Feb 4, 2014, at 2:13 PM, Kirschner, Beth wrote:
> In SAK-23859, we added code to remove one possible XSS attack, but truncating URLs with the following characters: \"'<>&
> Unfortunately this also broke the OSP matrix download feature (SAK-25500), which generates URLs which look like this:
> /tool/f6af4350-9b92-4c82-9db6-b298bcea9570/repository/1=1&1=1&manager=matrixManager&scaffoldingId=F16CB84C6AC085CB7FA3C4608FA937C8/test-1.zip
>
> Does anyone know why the ampersand ('&') character is considered naughty? Is the concern that it could be used to encode and hide other naughty characters? If that's the case, I can change the code to clean out encoded characters (e.g. "&nn;"), but leave singleton ampersands alone.
>
> Thoughts?
> - Beth
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
More information about the sakai-dev
mailing list