ofbiz-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-6506) XSS vulnerability in OFBiz forms and screens especially in display-entity component
Date Sun, 05 Jul 2015 21:48:05 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-6506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14614415#comment-14614415
] 

Jacques Le Roux commented on OFBIZ-6506:
----------------------------------------

Could you provide a case to reproduce the initial XSS issue? I tried this:
in a groovy file called by a screen widget
{code}
context.test = "<script>alert('alert')</script>"
{code}
in the screen widget
{code}
<set field="parameters.test" from-field="test"/>
{code}
in the form called by the screen:
{code}
<field name="test"><display/></field>
{code}

I got no js alert popup but this in HTML source:
{code}
<label for="form_test"  id="form_test_title">Test</label>  </td>
  <td colspan="7">
&lt;script&gt;alert&#x28;&#x27;alert&#x27;&#x29;&lt;&#x2f;script&gt;
  </td>
{code}
So as you see the data is escaped before being rendered.

There is a reproducible case and it's
{code}
<field name="test"><display default-value="&lt;script&gt;alert(&#39;alert&#39;)&lt;/script&gt;"/></field>
{code}
But this is really shooting oneself in the foot only for the fun of it.
If you like to shoot yourself in the foot there is another way by using the same process than
above but adding encode-output="false" in the form widget
{code}
<field name="test" encode-output="false"><display/></field>
{code}

Please let us know your concern and how to reproduce, else in a week, I will close this issue
and the Stackoverflows as invalid .

> XSS vulnerability in OFBiz forms and screens especially in display-entity component
> -----------------------------------------------------------------------------------
>
>                 Key: OFBIZ-6506
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6506
>             Project: OFBiz
>          Issue Type: Bug
>          Components: ALL COMPONENTS
>            Reporter: Lilian Iatco
>              Labels: display, entity, form, ofbiz, screen, vulnerability, xss
>
> In Ofbiz form need to escape characters from description column in a display-entity tag
to avoid XSS attacks.
> <display-entity entity-name="Table" description="${description}" >
> I tried to use bsh, as following:
> <display-entity entity-name="Table" description="${bsh: org.apache.commons.lang.StringEscapeUtils.escapeHtml(&quot;${description}&quot;)}">
> But I get this error:
> Error rendering screen [component://my/widget/CommonScreens.xml#GlobalDecorator]: java.lang.IllegalStateException:
This object has been flagged as immutable (unchangeable), probably because it came from an
Entity Engine cache. Cannot set a value in an immutable entity object. 
> (This object has been flagged as immutable (unchangeable), probably because it came from
an Entity Engine cache. Cannot set a value in an immutable entity object.)
> Also you can see here a similar issue:
> http://stackoverflow.com/questions/30097370/how-to-escape-characters-in-ofbiz-widget



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message