Forum OpenACS Q&A: Response to Cross Site Scripting FAQ (fwd)

Collapse
Posted by Tom Jackson on

Actually you can create a link in an email and send it to someone with access to the site. Clicking on the link will execute the request, so you can tailor the request at your will. You can do that now without javascript, in fact sending this email to you creates a link back to this Openacs.org. Now you hide the link inside another link using javascript, maybe it could be an image tag, so your mail program automatically executes this code. So the bottom line is that filtering is only part of the problem. Obviously you cannot filter the entire internet. For most OpenACS type sites, you can easily determine the email address of users and directly send them email.

One possible solution might exist if javascript is unable to perform a POST request. In this case, ad_page_contract could be altered in certain parts of the site to deny GET requests.

At the very least this would make an attack more difficult.