[freeside-devel] View Maps revised
Ivan Kohler
ivan at freeside.biz
Mon Oct 6 18:52:52 PDT 2008
On Mon, Oct 06, 2008 at 09:55:48AM -0500, Jeremy Davis wrote:
> > And $google_maps should be URI escaped with uri_escape() before being
> > used in the URL, don't you think?
>
> Your probably right, I didn't think about this as freeside does a lot of
> data checks before entering data in the database.
It does, but that doesn't mean the data is clean for a URL. ';', '&'
and '?' are allowed, for example.
If you're running the self-service and allow users to edit their own
addresses, that would seem to provide a route for a possible
end-customer to employee XSS attack...
--
_ivan
More information about the freeside-devel
mailing list