XSS on demo

Brad Fitzpatrick brad at danga.com
Mon May 23 09:02:31 PDT 2005

Thanks, fixed.

I had a bunch of FIXMEs in the javascript code for things like "Lookup
JavaScript's _____-escape function".  But I guess there is no HTML escape
function, so I had to write one.

BTW, your Java OpenID server isn't setting up the return-to URL properly.
With the classic version (where my return-to URL includes ?style=classic),
you're sending my browser to;


And my webserver is correctly saying:

The requested URL /openid/demo/helper.bml?style=classic was not found on
this server.

You have a little too much escaping going on there.  (I assume you doing
the DSA signature and asserting that I'm you is just a test...  :-))

- Brad

On Mon, 23 May 2005, Ken Horn wrote:

> fyi, the http error line (if I return a 500, say), is echo'd exactly on
> the demo page -- ie cross site scriptable.
> _______________________________________________
> yadis mailing list
> yadis at lists.danga.com
> http://lists.danga.com/mailman/listinfo/yadis

More information about the yadis mailing list