[jira] Commented: (OFBIZ-1193) html code is not sanitized in all the text input field

Fri, 10 Aug 2007 01:50:06 -0700 

    [ 
https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12518942
 ] 

Vikrant Rathore commented on OFBIZ-1193:
----------------------------------------

Lets work as we discussed try to remove all the html from text box input, in 
general we do not need html for address or text fields except text areas where 
we need to sanitize the html.

Probably submit the patch to the community if they accept.

In my view no company would accept ecommerce and backend application which can 
allow hijacking of client computers (specially the operator using the system in 
the backend) which may lead to an access to their backend systems.


> html code is not sanitized in all the text input field
> ------------------------------------------------------
>
>                 Key: OFBIZ-1193
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1193
>             Project: OFBiz
>          Issue Type: Bug
>    Affects Versions: SVN trunk
>         Environment: any environment
>            Reporter: Vikrant Rathore
>         Attachments: error screenshot.jpg
>
>
> This a very critical bug in ofbiz you can put in any html text including 
> script or iframe tags in the input field for address update or customer name 
> update i.e. any text field in ofbiz.
> Its a major security issue for all the ofbiz installation since the text in 
> the input text field is not sanitized.
> below is small source code of the page where a script  in the demo store for 
> DemoCustomer profile which just pops up an alert box.
> <tr>
>       <td width="26%" align="right" valign="top"><div 
> class="tabletext">Address Line 1</div></td>
>       <td width="5">&nbsp;</td>
>       <td width="74%">
>         <input type="text" class='inputBox' size="30" maxlength="30" 
> name="address1" value=""/><script>alert("a")</script>">
>       *</td>
>     </tr>
>     <tr>
> Along with this attached the screenshot you can try the demo on ofbiz 
> ecommerce store on the ofbiz website and use DemoCustomer profile you will 
> see the same screenshot.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to