lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


> That's true. Fortunately it's not relevant:

<snip>

>
> Do what you want with _step. When the _next event is triggered, _step
> is initialized from i before being output to the user space.
>
> Chris

except for the _html variable:

http://www.lua.inf.puc-rio.br/rsp/step/next
  I am in step 2
http://www.lua.inf.puc-rio.br/rsp/step/?_html=Hello world
  Hello world
http://www.lua.inf.puc-rio.br/rsp/step/next
  Hello world

Keep calling the ../next url until it writes "Finished!" into the _html 
variable.

Also looks like someone else was able to write:
<script type="text/javascript">alert("this could have been a malicious 
script")</script>

into the _html variable and have it show up in my browser.  I have no-script 
extention blocking javascript by-default, so I didn't see the alert dialog.  
I though there was some other bug showing me an empty page, until I viewed 
the page source.

-- 
Robert G. Jakabosky