[jira] [Created] (OFBIZ-10054) Product content management screen doesn't validate trusted users' input

Jacopo Cappellato (JIRA) Thu, 14 Dec 2017 08:30:36 -0800

Jacopo Cappellato created OFBIZ-10054:
-----------------------------------------


             Summary: Product content management screen doesn't validate 
trusted users' input
                 Key: OFBIZ-10054
                 URL: https://issues.apache.org/jira/browse/OFBIZ-10054
             Project: OFBiz
          Issue Type: Improvement
          Components: product
    Affects Versions: Release Branch 16.11, Trunk
            Reporter: Jacopo Cappellato


Steps to recreate:

1) go to (authenticate with admin/ofbiz):
https://localhost:8443/catalog/control/EditProductContent?productId=WG-1111

2) set the content of the field labeled "Large Image" to:
non_existent.foo&quot; onerror=&quot;alert(&apos;Hi!&apos;);

3) visit the url:
https://localhost:8443/ecommerce/control/product?product_id=WG-1111

A popup message will appear with the "Hi!".

Thanks to Loris Nardo for the report.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (OFBIZ-10054) Product content management screen doesn't validate trusted users' input

Reply via email to