[
https://issues.apache.org/jira/browse/OFBIZ-178?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Marco Risaliti updated OFBIZ-178:
---------------------------------
Component/s: (was: ecommerce)
INCORPORATING ISSUE
Fix Version/s: SVN trunk
Affects Version/s: SVN trunk
> Cross site scripting vulnerability in Forum
> -------------------------------------------
>
> Key: OFBIZ-178
> URL: https://issues.apache.org/jira/browse/OFBIZ-178
> Project: OFBiz
> Issue Type: Bug
> Components: INCORPORATING ISSUE
> Affects Versions: SVN trunk
> Reporter: Eriks Dobelis
> Assignee: Jacques Le Roux
> Fix For: SVN trunk
>
>
> Currently HTML tags are filtered from forum messages by client side
> javascript (whyzzywig.js). If JavaScript is turned off (or local webproxy is
> used to filter or change the script), then user can post a forum message
> containing any HTML code, including <script> tags, e.g.
> <script>alert('test');</script>
> This is classic cross site scripting problem with all the consequences (e.g.
> writing scripts to steal active cookies).
> Also, currently a lot is supplied as hidden fields, which probably means that
> user could change that text. I have not checked that, but as there are fields
> like dataResourceTypeId, contentTypeId then probably user can create any type
> of content.
> <input type="hidden" name="VIEW_INDEX"/>
> <input type="hidden" name="threadView"/>
> <input type="hidden" name="forumGroupId"/>
> <input type="hidden" name="dataResourceTypeId" value="ELECTRONIC_TEXT"/>
> <input type="hidden" name="forumId" value="ASK"/>
> <input type="hidden" name="contentName" value="New thread/message/response"/>
> <input type="hidden" name="contentTypeId" value="DOCUMENT"/>
> <input type="hidden" name="ownerContentId" value="ASK"/>
> <input type="hidden" name="contentIdTo" value="10007"/>
> <input type="hidden" name="contentAssocTypeId" value="RESPONSE"/>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
