Closed Bug 282671 Opened 20 years ago Closed 20 years ago

Please validate your input

Categories

(Webtools Graveyard :: Hendrix, defect)

Product:
Webtools Graveyard
Component:
Hendrix
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: timeless, Assigned: gerv)

References

(
URL
)

Details

the site does not validate its input.

there are probably much better attacks, but i ran out of time.
Just to expound on the "better attacks" angle, the right way to do this attack
is probably to use XBL bound via the stylesheet to completely change the way the
page looks....
Hmm. So is there no way to allow people to test their external stylesheets on
Hendrix without opening up such attacks or developing a CSS sanitiser?

It's not a big problem to take it out - the feature was only there for the theme
development request.

Gerv
I've removed the parameter. Bug 278500 opened on CVS-updating Hendrix. When
that's done, I'll open this bug to the world.

Gerv
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Removing security-sensitive group setting, as the one installation of this
software has now been updated.

Gerv
Group: webtools-security
Status: RESOLVED → VERIFIED
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.