Yes it's scary. The only solution (within the law) is to provide a secure system in the first place. But if Developers don't know all the tricks that a hacker uses then can you guarantee your system is secure? Even since mentioning stuff yesterday my server has had a few Domino knowledgable people having a go at it. For those who tried I hope you liked my little joke messages which you got.
As far as I can see there are no Hacking Domino type threads around (well there are now you started 'em!).
But back to the case in hand.
There are two Domino problems here. Firstly is allowing user entered data to *execute* when viewing. I allow users to enter HTML. However when data is displayed it is done with the old < > tags. So what is sent to the browser looks just like the HTML entered. Not sure if you do it but if <script>alert('Boo!')</script> you got a spooky message then you are allowing stuff to execute.
Secondly is Domino's wierd pass-thru of using the square brackets. I'm sure we've all done it. Added passthru code directly on pages to allow RichText fields to pass the code dircetly. [<script>alert('Boo! (with square brackets)')</script>] My technique for stopping this is simply a WQS agent which does a search and replace and inserts a space between the two characters, thereby prevent the pass-thru from working.
Yes it's scary. The only solution (within the law) is to provide a secure system in the first place. But if Developers don't know all the tricks that a hacker uses then can you guarantee your system is secure? Even since mentioning stuff yesterday my server has had a few Domino knowledgable people having a go at it. For those who tried I hope you liked my little joke messages which you got.
As far as I can see there are no Hacking Domino type threads around (well there are now you started 'em!).
But back to the case in hand.
There are two Domino problems here. Firstly is allowing user entered data to *execute* when viewing. I allow users to enter HTML. However when data is displayed it is done with the old < > tags. So what is sent to the browser looks just like the HTML entered. Not sure if you do it but if <script>alert('Boo!')</script> you got a spooky message then you are allowing stuff to execute.
Secondly is Domino's wierd pass-thru of using the square brackets. I'm sure we've all done it. Added passthru code directly on pages to allow RichText fields to pass the code dircetly. [<script>alert('Boo! (with square brackets)')</script>] My technique for stopping this is simply a WQS agent which does a search and replace and inserts a space between the two characters, thereby prevent the pass-thru from working.