dhis2-devs team mailing list archive

Thread
Date

Re: dhis security issue

To: Ngoc Thanh Nguyen <thanh.hispvietnam@xxxxxxxxx>
From: Morten Olav Hansen <mortenoh@xxxxxxxxx>
Date: Sat, 26 Jan 2013 18:02:04 +0100
Cc: dhis2-devs <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAFj4bardnQ+vZKdH30TfiQ=h=a=ps=Ep12O8+fR0H=bAPRoN8A@mail.gmail.com>

Yes, at least in DHIS. It will make sure that no JS will be executed. There
might be a need to also escape in input, but we don't do that at the
moment, so what ends up in the database itself might be dangerous. But
these things should always be escaped.

--
Morten


On Sat, Jan 26, 2013 at 5:59 PM, Ngoc Thanh Nguyen <
thanh.hispvietnam@xxxxxxxxx> wrote:

> No, I don't see it. But even by escaping the output, will it be completely
> secured?
>
> Thanh
>
>
> On Sat, Jan 26, 2013 at 11:42 PM, Morten Olav Hansen <mortenoh@xxxxxxxxx>wrote:
>
>> Everything coming out of DHIS should be escaped. Are you saying that you
>> see the alert box where you can see the name?
>>
>> --
>> Morten
>>
>>
>> On Sat, Jan 26, 2013 at 5:37 PM, Ngoc Thanh Nguyen <
>> thanh.hispvietnam@xxxxxxxxx> wrote:
>>
>>> Hi all,
>>>
>>> Sorry if this issue is irrelevant but when I tried to insert something
>>> malicious script to dhis2 field, I got it stored, like this:
>>> [image: Inline image 1]
>>>
>>> It means that data are not filtered at all. In theory, it has a risk of
>>> XSS attack. How do we prevent that?
>>>
>>> Thanh
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~dhis2-devs
>>> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>>> Unsubscribe : https://launchpad.net/~dhis2-devs
>>> More help   : https://help.launchpad.net/ListHelp
>>>
>>>
>>
>

References

dhis security issue
From: Ngoc Thanh Nguyen, 2013-01-26
Re: dhis security issue
From: Morten Olav Hansen, 2013-01-26
Re: dhis security issue
From: Ngoc Thanh Nguyen, 2013-01-26