Re: Help from security gurus?
Re: Help from security gurus?
- Subject: Re: Help from security gurus?
- From: Chuck Hill <email@hidden>
- Date: Mon, 15 Aug 2011 10:47:04 -0700
Hi Mai,
I am confused. That HTML looks like it was added on the server. Are you using an Ajax component that is adding this to your page?
Chuck
On 2011-08-12, at 4:57 PM, Mai Nguyen wrote:
> Hello,
> I am really baffled at how someone can insert a <A target> link into the following WebObjects page:
> .....
> <td> &#x5b;Enter brief description of issue&#x28;s&#x29;&#x5d;
> <br/>
> <a href="javascript:void(0);" onClick="show_summary(this); return false;">Show Summary</a>
>
> <A target="[Enter brief description of issue(s)]" onClick="window.open('/cgi-bin/WebObjects/MyTestApp.woa/1/wo/TTx5ltJlAYLbrboJWoAQyw/4.0.19.13.7.11.1.5.7.7.3.1.11','[Enter brief description of issue(s)]','toolbar=no,location=no,status=no,menubar=no,resizable=yes,scrollbars=yes,width=900,height=600'); return false" href="/cgi-bin/WebObjects/MyTestApp.woa/1/wo/TTx5ltJlAYLbrboJWoAQyw/4.0.19.13.7.11.1.5.7.7.3.1.11">Show Details</A>
> </td>
> ......
> All input fields are verified and sanitized.
>
> Could someone inject this <A> link from the above onClick="show_summary()" java script?
>
> Many thanks for your advice,
>
> -mai
--
Chuck Hill Senior Consultant / VP Development
Practical WebObjects - for developers who want to increase their overall knowledge of WebObjects or who are trying to solve specific problems.
http://www.global-village.net/products/practical_webobjects
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden