[
https://issues.apache.org/jira/browse/OFBIZ-6506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14623383#comment-14623383
]
Jacques Le Roux commented on OFBIZ-6506:
----------------------------------------
I don't see what you are chasing. If I put
{code}
?productId=<script>alert('alert')</script>
{code}
after an URL, and use
{code}
<field name="productId" tooltip="${uiLabelMap.ProductId} [${productId}]"><text
size="20" maxlength="20"/></field>
{code}
in a form, after passing the partyId value from a screen with
{code}
<set field="productId" from-field="parameters.productId"/>
{code}
This is what I get on screen !Tooltip no XSS issue.png!
And this is what I see in the HTML source
{code}
<input type="text" name="productId"
value="<script>alert('alert')</script>"
size="20" maxlength="20" id="addSmsContactPerson_productId" /><script
language="JavaScript" type="text/javascript">ajaxAutoCompleter('', false, 2,
300);</script>
<span class="tooltip">Product Id
[<script>alert('alert')</script>]</span>
{code}
Of course, same when using your example, which is in no way a mean to show an
XSS issue. A JavaScript must be actionable, I think I was pretty clear with the
examples I gave above.
{code}
<input type="text" name="productId" value="<font
color=red>XSS</font>" size="20" maxlength="20"
id="formName_productId"/><script language="JavaScript"
type="text/javascript">ajaxAutoCompleter('', false, 2, 300);</script>
<span class="tooltip">Product Id [<font
color=red>XSS</font>]</span>
{code}
So it's now clear to me that this does not show an XSS vulnerability and I
close this issue as invalid.
A last question though, which version are you using? I used the trunk HEAD but
normally none of the supported versions have XSS vulnerabilities. All known so
far have been fixed months ago, see the "Security Vulnerabilities" section at
the bottom of http://ofbiz.apache.org/download.html. Last being fixed for
almost a year.
> XSS vulnerability in OFBiz forms and screens especially in display-entity
> component
> -----------------------------------------------------------------------------------
>
> Key: OFBIZ-6506
> URL: https://issues.apache.org/jira/browse/OFBIZ-6506
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
> Reporter: Lilian Iatco
> Assignee: Jacques Le Roux
> Labels: display, entity, form, ofbiz, screen, vulnerability, xss
> Attachments: Tooltip no XSS issue.png
>
>
> In Ofbiz form need to escape characters from description column in a
> display-entity tag to avoid XSS attacks.
> {code}<display-entity entity-name="Table" description="${description}" >{code}
> I tried to use bsh, as following:
> {code}<display-entity entity-name="Table" description="${bsh:
> org.apache.commons.lang.StringEscapeUtils.escapeHtml("${description}")}">{code}
> But I get this error:
> {code}
> Error rendering screen
> [component://my/widget/CommonScreens.xml#GlobalDecorator]:
> java.lang.IllegalStateException: This object has been flagged as immutable
> (unchangeable), probably because it came from an Entity Engine cache. Cannot
> set a value in an immutable entity object.
> (This object has been flagged as immutable (unchangeable), probably because
> it came from an Entity Engine cache. Cannot set a value in an immutable
> entity object.)
> {code}
> PS:
> Also you can see here a similar issue:
> http://stackoverflow.com/questions/30097370/how-to-escape-characters-in-ofbiz-widget
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
