potential xss problem with default url/email_address formats?
Reported by Kevin Watt | July 15th, 2010 @ 01:47 AM
in dm-validations/lib/dm-validations/formats/email.rb and url.rb:
DataMapper::Validations::FormatValidator::FORMATS.merge!(
:email_address => [ EmailAddress, lambda { |field, value| '%s is
not a valid email address'.t(value) }] )
Since it echos the submitted result, it might be possible to get a user to click a link that submitted a value that was invalid but would be shown on the page they viewed. If this value contained javascript, it would be executed in the users context.
That said, I don't know what t() does, and can't find the definition for it, so maybe it makes it safe.
Comments and changes to this ticket
-
Martin Gamsjaeger (snusnu) July 15th, 2010 @ 09:08 AM
- State changed from “new” to “not-applicable”
Kevin,
I think that proper XSS protection is not part of DM's scope since DM might be used in whatever scenarios, needn't be webapps only. That said, it's the web framework's (or the programmer's) responsibilty to guard against XSS attacks, nothing for DM to handle imho. Marking this not-applicable.
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
Kevin Watt
Martin Gamsjaeger (snusnu)
Piotr Solnica (solnic)