dhis2-devs team mailing list archive

Thread
Date

Re: dhis security issue

To: Morten Olav Hansen <mortenoh@xxxxxxxxx>, dhis2-devs <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
From: Ngoc Thanh Nguyen <thanh.hispvietnam@xxxxxxxxx>
Date: Sat, 26 Jan 2013 23:59:12 +0700
In-reply-to: <CAL+BWVudUBFFBkg384SY4fM2V7YQwnn1xe2nxpBjhfrVnh-2aA@mail.gmail.com>

No, I don't see it. But even by escaping the output, will it be completely
secured?

Thanh

On Sat, Jan 26, 2013 at 11:42 PM, Morten Olav Hansen <mortenoh@xxxxxxxxx>wrote:

> Everything coming out of DHIS should be escaped. Are you saying that you
> see the alert box where you can see the name?
>
> --
> Morten
>
>
> On Sat, Jan 26, 2013 at 5:37 PM, Ngoc Thanh Nguyen <
> thanh.hispvietnam@xxxxxxxxx> wrote:
>
>> Hi all,
>>
>> Sorry if this issue is irrelevant but when I tried to insert something
>> malicious script to dhis2 field, I got it stored, like this:
>> [image: Inline image 1]
>>
>> It means that data are not filtered at all. In theory, it has a risk of
>> XSS attack. How do we prevent that?
>>
>> Thanh
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~dhis2-devs
>> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~dhis2-devs
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>

Follow ups

Re: dhis security issue
From: Morten Olav Hansen, 2013-01-26

References

dhis security issue
From: Ngoc Thanh Nguyen, 2013-01-26
Re: dhis security issue
From: Morten Olav Hansen, 2013-01-26