Skip to content

xss filter #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tevans merged 1 commit into from
Apr 17, 2014
Merged

xss filter #1

tevans merged 1 commit into from
Apr 17, 2014

Conversation

@sventantau
Copy link
Contributor

@sventantau sventantau commented Apr 15, 2014

Hi guys,
please see my changes to filter strings for html output.
Regards,
Sven

@tevans
Copy link
Member

tevans commented Apr 15, 2014

Hi Sven -

Thanks for sending this in ... looks good to me. Let's give the other devs a chance to look it over, and then we should be able to get it merged back into the master soon.

Regards,
Tom

@sventantau
Copy link
Contributor Author

sventantau commented Apr 16, 2014

Hi Tom.

I would like to discuss a csrf (cross site request forgery) protection for the web interface.
Where would be the best place to do that? Should I open another issue here in github? Or do you guys discuss that kind of stuff at igniterealtime.org?

@Flowdalic
Copy link
Member

Flowdalic commented Apr 16, 2014

Please use http://community.igniterealtime.org/community/developers/openfire_dev for discussing openfire development.

@sventantau darly asked if your commit will fix http://issues.igniterealtime.org/browse/OF-705, if it does, the issue key should be mentioned in your commit message so that the issue is linked to the commit.

@sventantau
Copy link
Contributor Author

sventantau commented Apr 16, 2014

Hi Florian.

I started a discussion in the mentioned forum.

Without knowing the details of the 705 exploit: my patch only fixes parts of the problem since csrf is still possible.

http://issues.igniterealtime.org/browse/OF-686
http://issues.igniterealtime.org/browse/OF-687
http://issues.igniterealtime.org/browse/OF-705

are roughly about the same thing.. so you might want to merge them somehow..

Since the mentioned exploit is non-free here my version for reference:
https://dev.beastiebytes.com/root/sandbox/wikis/openfire-3.8.2-exploit

The problem with csrf protections is that they are useless once there is a xss vector present and you usually don't need xss to perform csrf.

Regards,
Sven

tevans added a commit that referenced this pull request Apr 17, 2014
@tevans
Merge pull request #1 from sventantau/master
ed98704 
OF-705: Merged updates for XSS filtering
@tevans tevans merged commit ed98704 into igniterealtime:master Apr 17, 2014
guusdk pushed a commit that referenced this pull request Jun 28, 2016
@drencrom
Merge pull request #1 from igniterealtime/master
db32bf1 
Update to last version
@guusdk guusdk mentioned this pull request Mar 30, 2018
Merged
@danielhams danielhams mentioned this pull request Apr 12, 2019
Merged
guusdk pushed a commit that referenced this pull request Mar 21, 2020
@mightymop
Merge pull request #1 from igniterealtime/master
4f40a69 
upstream sync
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sventantau @tevans @Flowdalic