Jep you're right, but what he is talking about is the double Opt In for Newsletter sign ups (You have to do this in germany). It means, when you hab signed up for a newsletter you got a mail with a verification link. Ofbiz generates this email but with a bunch of Get parameters which is really a security issue. So Mirko suggest to use only one hasCode which is translated internally. This should minimize the risk of XSS and stuff.
2011/1/22 Jacques Le Roux <[email protected]> > Quick answer: are you using a get method with your action (I see these > parameters in the URL)? Because this is bad for XSS. We use hidden fields > with post. But maybe I completly missed the point ;o) > > Jacques > > From: "Sascha Rodekamp" <[email protected]> > > The main issue we focused here, was the fromDate parameter in the URL. >> >> fromDate=2011-01-13 10:46:32.952 >> >> It's really bad have a space in the URL isn't it? >> >> 2011/1/13 Mirko Vogelsmeier <[email protected]> >> >> Hi there, >>> >>> ive been working on some basic newsletter-signup stuff with OptInCodes. >>> When accepting an OptInCode the user has to pass through 4 different >>> variables (OptInCode + 3 primary keys). >>> Other than this doesnt look nice at all for any given user it reveals >>> some >>> of our primary keys which has an impact on the security. >>> >>> This is how my url looks like: >>> >>> >>> .../updateNewsletterStatus?contactListId=1000&partyId=10020&fromDate=2011-01-13 >>> 10:46:32.952&optInVerifyCode=9744644563 >>> >>> I thought about creating an entity with one primary key and 4 foreign >>> keys >>> (from above url). >>> The primary key could than be a hash value that is passed through by a >>> user. >>> What do you think about this idea? >>> >>> Greetings, >>> Mirko >>> >>> >>> >>> Mirko Vogelsmeier >>> Auszubildender Fachinformatiker AEW >>> Lynx-Consulting GmbH >>> Johanniskirchplatz 6 >>> 33615 Bielefeld >>> Deutschland >>> Fon: +49 521 5247-0 >>> Fax: +49 521 5247-250 >>> Mobil: >>> >>> >>> Company and Management Headquarters: >>> Lynx-Consulting GmbH, Johanniskirchplatz 6, 33615 Bielefeld, Deutschland >>> Fon: +49 521 5247-0, Fax: +49 521 5247-250, www.lynx.de >>> >>> Court Registration: Amtsgericht Bielefeld HRB 35946 >>> Chief Executive Officers: Karsten Noss, Dirk Osterkamp >>> >>> >>> >>> ---------------------------------------------------------------------------------------------------- >>> This e-mail may contain trade secrets or privileged, undisclosed, or >>> otherwise confidential information. If you have received this e-mail in >>> error, you are hereby notified that any review, copying, or distribution >>> of >>> it is strictly prohibited. Please inform us immediately and destroy the >>> original transmittal. Thank you for your cooperation. >>> >>> >>> ---------------------------------------------------------------------------------------------------- >>> >>> >>> >>> >>> ***************************************************************************** >>> >> >> >> >> >> -- >> Sascha Rodekamp >> Lynx-Consulting GmbH >> Johanniskirchplatz 6 >> D-33615 Bielefeld >> http://www.lynx.de >> >> > -- Sascha Rodekamp Lynx-Consulting GmbH Johanniskirchplatz 6 D-33615 Bielefeld http://www.lynx.de
