[freeside-devel] View Maps revised

Ivan Kohler ivan at freeside.biz
Mon Oct 6 18:52:52 PDT 2008


On Mon, Oct 06, 2008 at 09:55:48AM -0500, Jeremy Davis wrote:
> > And $google_maps should be URI escaped with uri_escape() before being
> > used in the URL, don't you think?
> 
> Your probably right, I didn't think about this as freeside does a lot of
> data checks before entering data in the database.

It does, but that doesn't mean the data is clean for a URL.  ';', '&' 
and '?' are allowed, for example.

If you're running the self-service and allow users to edit their own 
addresses, that would seem to provide a route for a possible 
end-customer to employee XSS attack...

-- 
_ivan


More information about the freeside-devel mailing list