XSS on demo
brad at danga.com
Mon May 23 09:02:31 PDT 2005
function, so I had to write one.
BTW, your Java OpenID server isn't setting up the return-to URL properly.
With the classic version (where my return-to URL includes ?style=classic),
you're sending my browser to;
And my webserver is correctly saying:
The requested URL /openid/demo/helper.bml?style=classic was not found on
You have a little too much escaping going on there. (I assume you doing
the DSA signature and asserting that I'm you is just a test... :-))
On Mon, 23 May 2005, Ken Horn wrote:
> fyi, the http error line (if I return a 500, say), is echo'd exactly on
> the demo page -- ie cross site scriptable.
> yadis mailing list
> yadis at lists.danga.com
More information about the yadis