17 Oct
2007
17 Oct
'07
12:13 p.m.
Hi all, I came across a security alert that basically embeds javascript in the display name of the From to initiate cross-site-scripting (XSS) attacks. Here is an example:
From: "<script>alert('hack')</script>""user" <sip:user at domain.com https://lists.grok.org.uk/mailman/listinfo/full-disclosure>;tag=002a000c
Grammatically , I don't see an issue with this. However, under the right circumstances this could get ugly. Do you see value in having openser take a proactive role to detect these and reject calls? Or is this outside the scope of what a proxy should be doing (leave it to the UA to sanitize) ?
Looking to get your thoughts- -will