This project is read-only.

MWPSK wide open to javascript injection

Topics: Developer Forum, Project Management Forum, User Forum
Apr 18, 2010 at 11:17 AM

I noticed that default.aspx has ValidateRequest="false", so all our generated pages have the protection from javascript injection turned off by default.

Five other .aspx files also have ValidateRequest="false".


The effect of this include:

Newslist allows Javascript injection in the article title, and in the body of the newsitem if entered in HTML view.

The Blog allows javascript injection in the article title and in the blog text, entered in HTML view.

The HTML section allows javascript injection in the HTML view.

The Downloads List section allows javascript injection in the comments.

I have not tested other controls for this, so this does not imply that the problem is limited to those controls I mentioned.

This might not cost you a lot of money, but it could make you and your site look pretty silly.

I was quite surprised, shocked even, to find this (is that unreasonable?) and I have posted this in the Issue Tracker section.


Has anybody had problems as a result of this?

Apr 18, 2010 at 11:07 PM
Edited Apr 18, 2010 at 11:12 PM

No problems here (yet).  I turned off HTML view for users, but had forgotten about the other places injection could happen. Thanks!