Commits

Tim Olsen  committed 0896f96

Copyied from CVS. This is a hack of a hack. We need to be escaping all displayed content. Until then, we need to catch attempts to store XSS (at least the obvious ones). The restriction was to strict.

  • Participants
  • Parent commits 32f99ca

Comments (0)

Files changed (1)

File org/nrg/xft/db/DBAction.java

 				}else{
 					String s=baos.toString();
 					String upper=s.toUpperCase();
-					if(s.contains("<") && s.contains(">") && (upper.contains("SCRIPT") || upper.contains("IMG") || upper.contains("IMAGE"))){
+					if(s.contains("<") && s.contains(">") && (upper.contains("SCRIPT") || ((upper.contains("IMG") || upper.contains("IMAGE")) && (upper.contains("JAVASCRIPT"))))){
 						if(!allowInvalidValues){
 							AdminUtils.sendAdminEmail("Possible Cross-site scripting attempt blocked", s);
 							throw new InvalidValueException("Use of '<' and '>' are not allowed in content.");
 				}else{
 					String s=o.toString();
 					String upper=s.toUpperCase();
-					if(s.contains("<") && s.contains(">") && (upper.contains("SCRIPT") || upper.contains("IMG") || upper.contains("IMAGE"))){
+					if(s.contains("<") && s.contains(">") && (upper.contains("SCRIPT") || ((upper.contains("IMG") || upper.contains("IMAGE")) && (upper.contains("JAVASCRIPT"))))){
 						if(!allowInvalidValues){
 							AdminUtils.sendAdminEmail("Possible Cross-site scripting attempt blocked", s);
 							throw new InvalidValueException("Use of '<' and '>' are not allowed in content.");						
 			return o.toString();
 		}
 	}
-	
+		
 	/**
 	 * @param item
 	 * @param toRemove