ofbiz-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (OFBIZ-1193) html code is not sanitized in all the text input field
Date Sun, 29 Nov 2015 13:32:10 GMT

     [ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Jacques Le Roux updated OFBIZ-1193:
    Issue Type: Sub-task  (was: Improvement)
        Parent: OFBIZ-1525

> html code is not sanitized in all the text input field
> ------------------------------------------------------
>                 Key: OFBIZ-1193
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1193
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework, specialpurpose/ecommerce
>    Affects Versions: Trunk
>         Environment: any environment
>            Reporter: Vikrant Rathore
>            Assignee: David E. Jones
>             Fix For: Trunk
>         Attachments: error screenshot.jpg, ofbiz-1193-logins.patch, ofbiz-1193-messages_ftl.patch,
> This a very critical bug in ofbiz you can put in any html text including script or iframe
tags in the input field for address update or customer name update i.e. any text field in
> Its a major security issue for all the ofbiz installation since the text in the input
text field is not sanitized.
> below is small source code of the page where a script  in the demo store for DemoCustomer
profile which just pops up an alert box.
> <tr>
>       <td width="26%" align="right" valign="top"><div class="tabletext">Address
Line 1</div></td>
>       <td width="5">&nbsp;</td>
>       <td width="74%">
>         <input type="text" class='inputBox' size="30" maxlength="30" name="address1"
>       *</td>
>     </tr>
>     <tr>
> Along with this attached the screenshot you can try the demo on ofbiz ecommerce store
on the ofbiz website and use DemoCustomer profile you will see the same screenshot.

This message was sent by Atlassian JIRA

View raw message