Changeset 30566


Ignore:
Timestamp:
2016-06-07T18:30:52+12:00 (5 years ago)
Author:
ak19
Message:

Had return statement back to front, returning true when meaning to return false and vice-versa.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • main/trunk/greenstone2/runtime-src/src/recpt/securitytools.cpp

    r28899 r30566  
    5555    https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.235_-_URL_Escape_Before_Inserting_Untrusted_Data_into_HTML_URL_Parameter_Values
    5656   
    57     WARNING: Do not encode complete or relative URL's with URL encoding! If untrusted input is meant to be placed into
     57    WARNING: Do not encode complete or relative URLs with URL encoding! If untrusted input is meant to be placed into
    5858    href, src or other URL-based attributes, it should be validated to make sure it does not point to an unexpected
    59     protocol, especially Javascript links. URL's should then be encoded based on the context of display like any other
    60     piece of data. For example, user driven URL's in HREF links should be attribute encoded. For example:
     59    protocol, especially Javascript links. URLs should then be encoded based on the context of display like any other
     60    piece of data. For example, user driven URLs in HREF links should be attribute encoded. For example:
    6161
    6262    String userURL = request.getParameter( "userURL" )
     
    7474
    7575  if(findword(here, end, "javascript:") != end) {
    76     return true;
    77   }
    78   return false;
     76    return false;
     77  }
     78  return true;
    7979}
    8080
Note: See TracChangeset for help on using the changeset viewer.