[
https://issues.apache.org/jira/browse/OFBIZ-2121?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Adrian Crum closed OFBIZ-2121.
------------------------------
Resolution: Duplicate
If anyone has anything to contribute, they can contribute it using one of the
existing Jira issues.
> XSS vulnerability in eCommerce/ordermgr
> ---------------------------------------
>
> Key: OFBIZ-2121
> URL: https://issues.apache.org/jira/browse/OFBIZ-2121
> Project: OFBiz
> Issue Type: Bug
> Components: order
> Affects Versions: SVN trunk
> Reporter: Philipp Hoppen
>
> Any HTML/Javascript that is placed within the fields "shipping_instructions"
> or "gift_message" (possibly other fields too) when making a new order in
> eCommerce is executed in the ordermgr module when the order is displayed.
> For example, using this HTML code
> <iframe
> src="http://ofbiz.apache.org/";
> style="position:absolute;
> top:0;left:0; border:0px
> #FFFFFF none;" name="myframe"
> marginheight="0px"
> marginwidth="0px" height="768"
> width="1024"></iframe>
> an iframe is displayed with the OFBiz project home page. Now suppose the
> iframe actually displays a faked OFBiz login page or anything like this (the
> possibilities are endless...).
> Is there any reason why the FTL escape directives are not used (in this case
> in orderheader.ftl) to encode content properly using for example something
> like this:
> <#escape x as x?html>
> First name: ${firstName}
> Last name: ${lastName}
> Maiden name: ${maidenName}
> </#escape>
> (See http://freemarker.org/docs/ref_directive_escape.html for details)
> I know there were some other Jira issues about similar problems, but I didn't
> see any current effort to fix these things.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
