On 19/01/2011, at 10:19 AM, Adrian Crum wrote: > On 1/18/2011 12:56 PM, Jacques Le Roux wrote: >> From: "Adrian Crum" <[email protected]> >>> On 1/18/2011 10:08 AM, Jacques Le Roux wrote: >>>> From: "Adam Heath" <[email protected]> >>>>> On 01/18/2011 11:46 AM, Adrian Crum wrote: >>>>>> There are more benefits than that. Flat Grey does not require >>>>>> JavaScript, and it is sight-impaired accessible. It would be the most >>>>>> accommodating point of entry for a new user. >>>>> >>>>> Huh? You mean all those href="javascript:submitForm()" stuff has been >>>>> removed? >>>> >>>> No, and that's the real issue... I think it will remains, except if we >>>> find another way to avoid XSS from FTL files. I don't feel it will >>>> change... >>> >>> I don't understand how changing a form's submit button to a link that >>> calls a submit function protects us from XSS attacks. >>> >>> -Adrian >> >> Just have a look at one of the patches at >> https://issues.apache.org/jira/browse/OFBIZ-2330 and you should get it >> >> it was not forms that were changed but plain URL (get method) >> >> The idea is before we had something like >> <a >> href='<@ofbizUrl>request?param1=${param1Value}¶m2=${param2Value}&....</@ofbizUrl>>${uiLabelMap....}</a></div></td> >> >> So we had parameters in an URL (ie a GET type method) and this could be >> exploited when the request was a Create Update or Delete type service >> (no pb for Read), ie to get an access to the DB. >> >> We have now. >> <form name= "request" method= "post" action= >> "<@ofbizUrl>request</@ofbizUrl>"> >> <input type= "hidden" name= "param1" value= "${param1Value}"/> >> <input type= "hidden" name= "param2" value= "${param2Value}"/> >> <a href='javascript:document.request.submit()'>${uiLabelMap...}</a> >> </form> >> As it's a POST request type method with hidden parameters included in a >> javascript call parameters it's not possible to use XSS Injection (you >> can't hack the URL from outside to inject a script in it). Just try it >> if you want to be sure... >> >> This is explained clearly at >> http://www.testingsecurity.com/how-to-test/injection-vulnerabilities/XSS-Injection >> section "How to test for XSS Injection vulnerabilities" >> >> One thing I'm not quire sure though is why we use javascript calls >> instead of simple submit buttons (almost your question ;o). > > That was EXACTLY my question. > > -Adrian
I'm not 100% sure but I think we have certain screens where it is unavoidable because the form cannot be placed where the button/link needs to reside. An example of this might be a list with bulk action checkboxes but also row level actions. Regards Scott
smime.p7s
Description: S/MIME cryptographic signature
