On 1/18/2011 12:56 PM, Jacques Le Roux wrote:
From: "Adrian Crum" <[email protected]>
On 1/18/2011 10:08 AM, Jacques Le Roux wrote:
From: "Adam Heath" <[email protected]>
On 01/18/2011 11:46 AM, Adrian Crum wrote:
There are more benefits than that. Flat Grey does not require
JavaScript, and it is sight-impaired accessible. It would be the most
accommodating point of entry for a new user.
Huh? You mean all those href="javascript:submitForm()" stuff has been
removed?
No, and that's the real issue... I think it will remains, except if we
find another way to avoid XSS from FTL files. I don't feel it will
change...
I don't understand how changing a form's submit button to a link that
calls a submit function protects us from XSS attacks.
-Adrian
Just have a look at one of the patches at
https://issues.apache.org/jira/browse/OFBIZ-2330 and you should get it
it was not forms that were changed but plain URL (get method)
The idea is before we had something like
<a
href='<@ofbizUrl>request?param1=${param1Value}¶m2=${param2Value}&....</@ofbizUrl>>${uiLabelMap....}</a></div></td>
So we had parameters in an URL (ie a GET type method) and this could be
exploited when the request was a Create Update or Delete type service
(no pb for Read), ie to get an access to the DB.
We have now.
<form name= "request" method= "post" action=
"<@ofbizUrl>request</@ofbizUrl>">
<input type= "hidden" name= "param1" value= "${param1Value}"/>
<input type= "hidden" name= "param2" value= "${param2Value}"/>
<a href='javascript:document.request.submit()'>${uiLabelMap...}</a>
</form>
As it's a POST request type method with hidden parameters included in a
javascript call parameters it's not possible to use XSS Injection (you
can't hack the URL from outside to inject a script in it). Just try it
if you want to be sure...
This is explained clearly at
http://www.testingsecurity.com/how-to-test/injection-vulnerabilities/XSS-Injection
section "How to test for XSS Injection vulnerabilities"
One thing I'm not quire sure though is why we use javascript calls
instead of simple submit buttons (almost your question ;o).
That was EXACTLY my question.
-Adrian
