From: "Adrian Crum" <[email protected]>
On 1/18/2011 10:08 AM, Jacques Le Roux wrote:
From: "Adam Heath" <[email protected]>
On 01/18/2011 11:46 AM, Adrian Crum wrote:
There are more benefits than that. Flat Grey does not require
JavaScript, and it is sight-impaired accessible. It would be the most
accommodating point of entry for a new user.
Huh? You mean all those href="javascript:submitForm()" stuff has been
removed?
No, and that's the real issue... I think it will remains, except if we
find another way to avoid XSS from FTL files. I don't feel it will
change...
I don't understand how changing a form's submit button to a link that calls a
submit function protects us from XSS attacks.
-Adrian
Just have a look at one of the patches at
https://issues.apache.org/jira/browse/OFBIZ-2330 and you should get it
it was not forms that were changed but plain URL (get method)
The idea is before we had something like
<a
href='<@ofbizUrl>request?param1=${param1Value}¶m2=${param2Value}&....</@ofbizUrl>>${uiLabelMap....}</a></div></td>
So we had parameters in an URL (ie a GET type method) and this could be exploited when the request was a Create Update or Delete
type service (no pb for Read), ie to get an access to the DB.
We have now.
<form name= "request" method= "post" action= "<@ofbizUrl>request</@ofbizUrl>">
<input type= "hidden" name= "param1" value= "${param1Value}"/>
<input type= "hidden" name= "param2" value= "${param2Value}"/>
<a href='javascript:document.request.submit()'>${uiLabelMap...}</a>
</form>
As it's a POST request type method with hidden parameters included in a javascript call parameters it's not possible to use XSS
Injection (you can't hack the URL from outside to inject a script in it). Just try it if you want to be sure...
This is explained clearly at http://www.testingsecurity.com/how-to-test/injection-vulnerabilities/XSS-Injection section "How to test
for XSS Injection vulnerabilities"
One thing I'm not quire sure though is why we use javascript calls instead of simple submit buttons (almost your question ;o). Maybe
it adds a bit of security because it's harder to inject javascript code in it (inject <script></script> tags in another
<script></script> tags couple)? But there are some cases were it's not used (CopyAgreement.ftl for instance) so I'm not sure, I
simply followed the way it was done, before I had to change one...
Of course we use ESAPI behind the scene to handle parameters encoding/decoding
aspects
If you want to digg futher, have a look at
https://issues.apache.org/jira/browse/OFBIZ-1525
HTH
Jacques
