uPortal IRC Logs-2009-04-30

Owned by Apereo Infrastructure
Last updated: Apr 30, 2009Version comment
4 min read

[04:01:57 EDT(-0400)] * higmad (n=chatzill@pcit-8752.HIG.SE) has joined ##uportal
[04:07:27 EDT(-0400)] * higmad (n=chatzill@pcit-8752.HIG.SE) has joined ##uportal
[08:25:13 EDT(-0400)] * michelled (n=michelle@CPE001310472ade-CM0011aefd3ca8.cpe.net.cable.rogers.com) has joined ##uportal
[08:31:13 EDT(-0400)] * lennard1 (n=sparhk@98.174.242.39) has joined ##uportal
[08:43:00 EDT(-0400)] * colinclark (n=colin@bas2-toronto09-1176130801.dsl.bell.ca) has joined ##uportal
[08:51:30 EDT(-0400)] * dstn (n=dstn@schultz.its.yale.edu) has joined ##uportal
[08:52:26 EDT(-0400)] * jessm (n=Jess@c-71-232-1-65.hsd1.ma.comcast.net) has joined ##uportal
[08:52:53 EDT(-0400)] * SusanBramhall (i=susanbra@dhcp128036045191.central.yale.edu) has joined ##uportal
[08:56:31 EDT(-0400)] * SusanB (i=susanbra@dhcp128036045191.central.yale.edu) has joined ##uportal
[09:18:01 EDT(-0400)] * fj4000 (n=Jacob@142.150.154.106) has joined ##uportal
[09:21:08 EDT(-0400)] * athena (n=athena@99.129.100.66) has joined ##uportal
[10:18:03 EDT(-0400)] * EricDalquist (n=dalquist@bohemia.doit.wisc.edu) has joined ##uportal
[10:30:50 EDT(-0400)] * anastasiac (n=team@142.150.154.189) has joined ##uportal
[11:53:28 EDT(-0400)] <athena> quirky JSTL question, if anyone knows it
[11:53:40 EDT(-0400)] <EricDalquist> sure
[11:53:47 EDT(-0400)] <athena> i'm trying to use the function taglib to do string replacement to prevent XSS
[11:53:57 EDT(-0400)] <athena> so in this case, to replace apostrophes with escaped ones
[11:54:34 EDT(-0400)] <athena> however, using fn:replace(string, '\'', '\'') on something like "I'm a string"
[11:54:46 EDT(-0400)] <athena> actually results in using the HTML character code for the apostrophe
[11:54:59 EDT(-0400)] <athena> so you wind up with "I&#039;m a string"
[11:55:20 EDT(-0400)] <athena> if you set the value of a form input to that, you actually see the character code in the input field
[11:55:27 EDT(-0400)] <EricDalquist> so I'm trying to remember
[11:55:33 EDT(-0400)] <EricDalquist> why are ' dangerous for XSS?
[11:55:46 EDT(-0400)] <EricDalquist> and does fn:escapeXml() not cover what you need?
[11:56:03 EDT(-0400)] <athena> in this case i'm setting a javascript variable to the java value
[11:56:12 EDT(-0400)]

<athena> so var name = '$

Unknown macro: {name}

';


[11:56:27 EDT(-0400)] <EricDalquist> http://static.springframework.org/spring/docs/2.5.x/reference/spring.tld.html#spring.tld.htmlEscape
[11:56:29 EDT(-0400)] <EricDalquist> ?
[11:56:35 EDT(-0400)] <athena> if a mean user were to set name to something ' + alert('hi') + ' something
[11:56:40 EDT(-0400)] <athena> you actually get that alert executed
[11:57:17 EDT(-0400)] <athena> escapeXml escapes XML, not quotation mark type things
[11:57:31 EDT(-0400)]

<EricDalquist> I think then you can get do <spring:escapeBody javaScriptEscape="true">$

Unknown macro: {myvalue}

</spring:escapeBody>


[11:57:37 EDT(-0400)] <EricDalquist> http://static.springframework.org/spring/docs/2.5.x/reference/spring.tld.html#spring.tld.escapeBody
[11:57:42 EDT(-0400)] <athena> interesting
[11:57:59 EDT(-0400)] <athena> i think that's actually exactly what i want
[11:58:03 EDT(-0400)] <EricDalquist> (smile)
[11:58:06 EDT(-0400)] <athena> hm
[11:58:07 EDT(-0400)] <EricDalquist> go spring
[11:58:08 EDT(-0400)] <athena> i'll true it out
[11:58:14 EDT(-0400)] <athena> as always (smile)
[11:58:26 EDT(-0400)] <EricDalquist> Spring'
[11:58:39 EDT(-0400)] <EricDalquist> Spring's message tag has the same javaScriptEscape option
[11:58:46 EDT(-0400)] <athena> nice
[12:01:09 EDT(-0400)] <athena> hey look at that! perfect
[12:01:16 EDT(-0400)] <athena> we should use that in uportal and such
[12:01:37 EDT(-0400)] <athena> one of the items on my list is to go through the portlet admin portlet and apply escaping where necessary
[12:01:44 EDT(-0400)] <athena> thanks so much eric
[12:23:38 EDT(-0400)] * holdorph (n=holdorph@wsip-98-174-242-39.ph.ph.cox.net) has joined ##uportal
[12:33:41 EDT(-0400)] <EricDalquist> no problem
[12:33:49 EDT(-0400)] <EricDalquist> glad it worked (smile)
[12:39:19 EDT(-0400)] * Sememmon (n=Sememmon@wsip-98-174-242-39.ph.ph.cox.net) has joined ##uportal
[13:56:10 EDT(-0400)] <EricDalquist> the statefullness of uPortal frustrates me to no end at times
[13:56:23 EDT(-0400)] <athena> boo
[13:58:01 EDT(-0400)] <EricDalquist> though holdorph posted a nice link on facebook that made me laugh
[13:58:02 EDT(-0400)] <EricDalquist> http://www.scottkelby.com/blog/2009/archives/4564
[13:58:34 EDT(-0400)] <athena> lol
[13:58:58 EDT(-0400)] <athena> scared the crap out of some new yorkers, from what i hear
[13:59:05 EDT(-0400)] <EricDalquist> yeah, I bety
[13:59:06 EDT(-0400)] <EricDalquist> bet
[14:02:17 EDT(-0400)] <holdorph> you know, just when you think the government can't surprise you any more dramatically then the $10,000 hammer.... they go and do something like that.
[14:05:59 EDT(-0400)] <holdorph> BTW eric, if you follow facebook updates that closely, you might be interested in following twitter feeds for some people instead or in addition to. I know some people don't link the two. And also any updates that begin with the @ sign, don't get updated on facebook.
[14:06:25 EDT(-0400)] * EricDalquist doesn't think he is cool enough for twitter (wink)
[14:06:32 EDT(-0400)] * athena finally caved into twitter as of march
[14:06:44 EDT(-0400)] <holdorph> you can 'follow' people without posting.
[14:06:58 EDT(-0400)] <holdorph> it's akin to logging into facebook to read updates, but never posting an update yourself.
[14:07:13 EDT(-0400)] <EricDalquist> ah
[14:07:26 EDT(-0400)] <EricDalquist> can I follow them both in one place?
[14:07:40 EDT(-0400)] <holdorph> soon
[14:07:49 EDT(-0400)] <holdorph> facebook just released an open api to get facebook updates
[14:08:00 EDT(-0400)] <athena> there is a dashboard widget to read twitter
[14:08:02 EDT(-0400)] <holdorph> i hear seesmic (sp?) already has support for both
[14:08:08 EDT(-0400)] <athena> which is kind of a nice low-investment way to follow it
[14:08:27 EDT(-0400)] <athena> the one i have is called "twidget"
[14:09:24 EDT(-0400)] <holdorph> i use 'gwibber' on linux to follow twitter, and I'm hoping they add a facebook api at some point. although, if they don't that's ok, I enjoy my twitter updates a lot more then the facebook ones.
[14:09:58 EDT(-0400)] <EricDalquist> hrm
[14:11:15 EDT(-0400)] <holdorph> i'm not here to push twitter, just thought anyone following facebook updates might be interested in it, because it's similar in some ways.
[14:15:57 EDT(-0400)] <EricDalquist> (smile)
[14:28:36 EDT(-0400)] * fj4000 (n=Jacob@142.150.154.106) has joined ##uportal
[17:01:12 EDT(-0400)] * anastasiac (n=team@142.150.154.189) has left ##uportal
[17:19:05 EDT(-0400)] * lennard1 (n=sparhk@wsip-98-174-242-39.ph.ph.cox.net) has joined ##uportal
[17:46:16 EDT(-0400)] * michelled (n=michelle@CPE001310472ade-CM0011aefd3ca8.cpe.net.cable.rogers.com) has left ##uportal
[19:04:43 EDT(-0400)] * apetro (n=apetro@wsip-98-174-242-39.ph.ph.cox.net) has joined ##uportal
[19:26:09 EDT(-0400)] * EricDalquist (n=EricDalq@adsl-71-150-249-231.dsl.mdsnwi.sbcglobal.net) has joined ##uportal
[20:11:26 EDT(-0400)] * EricDalquist (n=EricDalq@adsl-71-150-249-231.dsl.mdsnwi.sbcglobal.net) has joined ##uportal
[20:14:06 EDT(-0400)] * lennard1 (n=sparhk@wsip-98-174-242-39.ph.ph.cox.net) has joined ##uportal
[20:18:17 EDT(-0400)] * lennard1 (n=sparhk@wsip-98-174-242-39.ph.ph.cox.net) has left ##uportal