Opened 10 years ago

Closed 10 years ago

#44 closed defect (fixed)

Check for and correct to ${X.encodeAsHtml()} where required.

Reported by: Gavin Owned by:
Priority: critical Milestone: 0.5 - Functionality and Stability
Component: gnuMims - application security Version: trunk
Keywords: Cc:

Description

Anywhere that user input is displayed in a page there is the opportunity for html (or worse javascript?) injection. Using ${X} directly renders the text so a user input of "<td>nice</td>" would change the layout of the page.

Find and correct all cases to ${X.encodeAsHtml()}.

Change History (1)

comment:1 Changed 10 years ago by Gavin

Resolution: fixed
Status: newclosed

The bulk of these have been corrected, don't seem to have been as many as I first thought. This is also now standard programming practice in gnuMims so closing this ticket and creating a reminder ticket #58 since the security issue is now negated.

Note: See TracTickets for help on using tickets.