Igor Gariev (gariev) wrote in changelog,
Igor Gariev
gariev
changelog

[livejournal] r17103: GZR-206: Preview doesn't work in IE8 bro...

Committer: gariev
GZR-206: Preview doesn't work in IE8 browser
U   trunk/htdocs/preview/entry.bml
Modified: trunk/htdocs/preview/entry.bml
===================================================================
--- trunk/htdocs/preview/entry.bml	2010-08-10 02:52:56 UTC (rev 17102)
+++ trunk/htdocs/preview/entry.bml	2010-08-10 07:00:55 UTC (rev 17103)
@@ -6,6 +6,15 @@
     my $ret;
     my $remote = LJ::get_remote();
     my $styleid; my $stylesys = 1;
+   
+    ## This header is to pass page content through IE8 XSS Filter.
+    ## Use-case: 
+    ##  (1) gazeta.ru has POST form with destination http://www.livejournal.com/preview/entry.bml
+    ##  (2) browser sends form data with HTML formatting to /preview
+    ##  (3) LJ.com server sends most of the form input back to browser with unescaped HTML
+    ##  (4) IE8 thinks that LJ.com has XSS vulnerability and rejects to display the page
+    ## http://download.microsoft.com/download/6/6/B/66B06981-67F0-4151-B71D-848BEF65F3C7/Developing%20Securely%20with%20Cross%20Site%20Scripting%20Filter%20%20-%20IE8%20Developer%20Series%20Information%20Page.pdf
+    LJ::Request->header_out("X-XSS-Protection" => 0);
 
     ### Figure out poster/journal
     my ($u, $up);

Tags: bml, gariev, livejournal
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 0 comments