dhis2-devs team mailing list archive

Thread
Date

Re: dhis security issue

To: Ngoc Thanh Nguyen <thanh.hispvietnam@xxxxxxxxx>
From: Morten Olav Hansen <mortenoh@xxxxxxxxx>
Date: Sat, 26 Jan 2013 17:42:08 +0100
Cc: dhis2-devs <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAFj4barX_vd7=kuYEFeyQe+GeXGmN4JDGNFFZVfdYLjrS6r3tg@mail.gmail.com>

Everything coming out of DHIS should be escaped. Are you saying that you
see the alert box where you can see the name?

--
Morten


On Sat, Jan 26, 2013 at 5:37 PM, Ngoc Thanh Nguyen <
thanh.hispvietnam@xxxxxxxxx> wrote:

> Hi all,
>
> Sorry if this issue is irrelevant but when I tried to insert something
> malicious script to dhis2 field, I got it stored, like this:
> [image: Inline image 1]
>
> It means that data are not filtered at all. In theory, it has a risk of
> XSS attack. How do we prevent that?
>
> Thanh
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help   : https://help.launchpad.net/ListHelp
>
>

Follow ups

Re: dhis security issue
From: Ngoc Thanh Nguyen, 2013-01-26

References

dhis security issue
From: Ngoc Thanh Nguyen, 2013-01-26