From: "Adrian Crum" <[email protected]>
On 1/18/2011 12:56 PM, Jacques Le Roux wrote:
From: "Adrian Crum" <[email protected]>
On 1/18/2011 10:08 AM, Jacques Le Roux wrote:
From: "Adam Heath" <[email protected]>
On 01/18/2011 11:46 AM, Adrian Crum wrote:
There are more benefits than that. Flat Grey does not require
JavaScript, and it is sight-impaired accessible. It would be the most
accommodating point of entry for a new user.
Huh? You mean all those href="javascript:submitForm()" stuff has been
removed?
No, and that's the real issue... I think it will remains, except if we
find another way to avoid XSS from FTL files. I don't feel it will
change...
I don't understand how changing a form's submit button to a link that
calls a submit function protects us from XSS attacks.
-Adrian
Just have a look at one of the patches at
https://issues.apache.org/jira/browse/OFBIZ-2330 and you should get it
it was not forms that were changed but plain URL (get method)
The idea is before we had something like
<a
href='<@ofbizUrl>request?param1=${param1Value}¶m2=${param2Value}&....</@ofbizUrl>>${uiLabelMap....}</a></div></td>
So we had parameters in an URL (ie a GET type method) and this could be
exploited when the request was a Create Update or Delete type service
(no pb for Read), ie to get an access to the DB.
We have now.
<form name= "request" method= "post" action=
"<@ofbizUrl>request</@ofbizUrl>">
<input type= "hidden" name= "param1" value= "${param1Value}"/>
<input type= "hidden" name= "param2" value= "${param2Value}"/>
<a href='javascript:document.request.submit()'>${uiLabelMap...}</a>
</form>
As it's a POST request type method with hidden parameters included in a
javascript call parameters it's not possible to use XSS Injection (you
can't hack the URL from outside to inject a script in it). Just try it
if you want to be sure...
This is explained clearly at
http://www.testingsecurity.com/how-to-test/injection-vulnerabilities/XSS-Injection
section "How to test for XSS Injection vulnerabilities"
One thing I'm not quire sure though is why we use javascript calls
instead of simple submit buttons (almost your question ;o).
That was EXACTLY my question.
Right, but most of the changes which introduced those js calls were not done on
forms but plain URLs. That's why I explained it
all... For instance CopyAgreement.ftl has not been changed...
But yes, I think we could replace them by simple submit buttons. I can see not
reasons why we should not.
BTW I have just tried with
deletePartyContactMechPurpose_${partyContactMechPurpose.contactMechPurposeTypeId}
in
specialpurpose/ecommerce/webapp/ecommerce/customer/editcontactmech.ftl and it
works well. I replaced
<!--a href='javascript:document.deletePartyContactMechPurpose_${partyContactMechPurpose.contactMechPurposeTypeId}.submit()'
class='button'> ${uiLabelMap.CommonDelete} </a-->
by
<input type="submit" name="deletePartyContactMechPurpose_${partyContactMechPurpose.contactMechPurposeTypeId}" class='button'
value=" ${uiLabelMap.CommonDelete} "/>
any differences, any security error messages...
Maybe I miss something (XSS reinforced security?). But, like you, I can't see
what! (I specifically chosen a dynamic input name)
Jacques
-Adrian
