Hi all,
Sorry if this issue is irrelevant but when I tried to insert something malicious script to dhis2 field, I got it stored, like this:
It means that data are not filtered at all. In theory, it has a risk of XSS attack. How do we prevent that?
Thanh
Everything coming out of DHIS should be escaped. Are you saying that you see the alert box where you can see the name?
–
Morten
On Sat, Jan 26, 2013 at 5:37 PM, Ngoc Thanh Nguyen thanh.hispvietnam@gmail.com wrote:
Hi all,
Sorry if this issue is irrelevant but when I tried to insert something malicious script to dhis2 field, I got it stored, like this:
It means that data are not filtered at all. In theory, it has a risk of XSS attack. How do we prevent that?
Thanh
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
No, I don’t see it. But even by escaping the output, will it be completely secured?
Thanh
–
Morten
On Sat, Jan 26, 2013 at 5:37 PM, Ngoc Thanh Nguyen thanh.hispvietnam@gmail.com wrote:
Hi all,
Sorry if this issue is irrelevant but when I tried to insert something malicious script to dhis2 field, I got it stored, like this:
It means that data are not filtered at all. In theory, it has a risk of XSS attack. How do we prevent that?
Thanh
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
Yes, at least in DHIS. It will make sure that no JS will be executed. There might be a need to also escape in input, but we don’t do that at the moment, so what ends up in the database itself might be dangerous. But these things should always be escaped.
–
Morten
On Sat, Jan 26, 2013 at 5:59 PM, Ngoc Thanh Nguyen thanh.hispvietnam@gmail.com wrote:
No, I don’t see it. But even by escaping the output, will it be completely secured?
ThanhOn Sat, Jan 26, 2013 at 11:42 PM, Morten Olav Hansen mortenoh@gmail.com wrote:
Everything coming out of DHIS should be escaped. Are you saying that you see the alert box where you can see the name?
–
Morten
On Sat, Jan 26, 2013 at 5:37 PM, Ngoc Thanh Nguyen thanh.hispvietnam@gmail.com wrote:
Hi all,
Sorry if this issue is irrelevant but when I tried to insert something malicious script to dhis2 field, I got it stored, like this:
It means that data are not filtered at all. In theory, it has a risk of XSS attack. How do we prevent that?
Thanh
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp