--- On Tue, 1/18/11, Scott Gray <[email protected]> wrote: > On 19/01/2011, at 10:19 AM, Adrian > Crum wrote: > > > On 1/18/2011 12:56 PM, Jacques Le Roux wrote: > >> From: "Adrian Crum" <[email protected]> > >>> On 1/18/2011 10:08 AM, Jacques Le Roux wrote: > >>>> From: "Adam Heath" <[email protected]> > >>>>> On 01/18/2011 11:46 AM, Adrian Crum > wrote: > >>>>>> There are more benefits than that. > Flat Grey does not require > >>>>>> JavaScript, and it is > sight-impaired accessible. It would be the most > >>>>>> accommodating point of entry for a > new user. > >>>>> > >>>>> Huh? You mean all those > href="javascript:submitForm()" stuff has been > >>>>> removed? > >>>> > >>>> No, and that's the real issue... I think > it will remains, except if we > >>>> find another way to avoid XSS from FTL > files. I don't feel it will > >>>> change... > >>> > >>> I don't understand how changing a form's > submit button to a link that > >>> calls a submit function protects us from XSS > attacks. > >>> > >>> -Adrian > >> > >> Just have a look at one of the patches at > >> https://issues.apache.org/jira/browse/OFBIZ-2330 and > you should get it > >> > >> it was not forms that were changed but plain URL > (get method) > >> > >> The idea is before we had something like > >> <a > >> > href='<@ofbizUrl>request?param1=${param1Value}¶m2=${param2Value}&....</@ofbizUrl>>${uiLabelMap....}</a></div></td> > >> > >> So we had parameters in an URL (ie a GET type > method) and this could be > >> exploited when the request was a Create Update or > Delete type service > >> (no pb for Read), ie to get an access to the DB. > >> > >> We have now. > >> <form name= "request" method= "post" action= > >> "<@ofbizUrl>request</@ofbizUrl>"> > >> <input type= "hidden" name= "param1" value= > "${param1Value}"/> > >> <input type= "hidden" name= "param2" value= > "${param2Value}"/> > >> <a > href='javascript:document.request.submit()'>${uiLabelMap...}</a> > >> </form> > >> As it's a POST request type method with hidden > parameters included in a > >> javascript call parameters it's not possible to > use XSS Injection (you > >> can't hack the URL from outside to inject a script > in it). Just try it > >> if you want to be sure... > >> > >> This is explained clearly at > >> http://www.testingsecurity.com/how-to-test/injection-vulnerabilities/XSS-Injection > >> section "How to test for XSS Injection > vulnerabilities" > >> > >> One thing I'm not quire sure though is why we use > javascript calls > >> instead of simple submit buttons (almost your > question ;o). > > > > That was EXACTLY my question. > > > > -Adrian > > I'm not 100% sure but I think we have certain screens where > it is unavoidable because the form cannot be placed where > the button/link needs to reside. An example of this > might be a list with bulk action checkboxes but also row > level actions. > > Regards > Scott
On most popular websites the bulk action link disappears with JavaScript turned off. For example, on Yahoo mail the "Check All" link disappears with JS turned off.
