Remember though, that the script came from the user in question, entered into the address bar, the 'next' parameter (to my knowledge) does not persist and cannot be sent to another user. Therefore, if you want to go ahead and make sure the 'next' variable is escaped, great, but it is not really increasing security, simply preventing confusion.
If I said that this condition is indicative of an XSS attack vector I may as well say that Apache is vulnerable to a Denial of Service attack because 'after I ran apachectl stop, I could no longer get to my website' -richard On 5/7/08, James Bennett <[EMAIL PROTECTED]> wrote: > > On Wed, May 7, 2008 at 2:51 PM, Richard Dahl <[EMAIL PROTECTED]> wrote: > > Excellent, good catch, when logged out it does indeed display the > > alert, I image it has to do with the 'next' property, which is not, I > > believe, escaped, as it is not entered into the DB or presented to any > > other user. So again, it begets the question: How is the XSS attack > > possible? > > I'd imagine the big threat is actually not "scripting" per se, but the > fact that you can tweak the URL that form submits to for a > non-logged-in user. That user then, you hope, ignores the glaring > warning of the URL and submits username/password to wherever you want > him/her to send it. > > Easily prevented by users who have half a brain, but still needs > fixing. I've cross-posted to django-dev to get it handled. > > -- > "Bureaucrat Conrad, you are technically correct -- the best kind of correct." > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
