Resolving cross site scripting issues.
I got a bug report about the following in the admin UI for RavenDB.
As you can imagine, this is certainly something that we would like to avoid, but there is a problem. How the hell do you find the problem?
I mean, obviously we are encoding the value when we present it to the user, since I can see it on the UI. But it is still running, so I am doing something bad here. But I don’t feel like traversing through a mountain of JavaScript to find out exactly where this is happening. Luckily, we don’t have to, we can use the XSS itself to help it localize it:
And given that, we can get directly to the actual fault:
And fixing that is a snap.

Comments
Comment preview