Jacques Le Roux commented on OFBIZ-10054:

About my comment above
bq.  I should note here though that currently the AntiSamy API is not used in 
OFBiz. This is something that still need to be clarified with the authors of 
OFBIZ-10187. Maybe it was easier for them to adapt from XML to Java...

Before asking them I remembered that the AntiSamy API has not been updated 
since 2013, so should be considered as somehow deprecated (it's a century in 
term of security).

> Product content management screen doesn't validate trusted users' input
> -----------------------------------------------------------------------
>                 Key: OFBIZ-10054
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10054
>             Project: OFBiz
>          Issue Type: Bug
>          Components: product
>    Affects Versions: Trunk, Release Branch 16.11
>            Reporter: Jacopo Cappellato
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 17.12.01, 16.11.06, 18.12.01
> Steps to recreate:
> 1) go to (authenticate with admin/ofbiz):
> https://localhost:8443/catalog/control/EditProductContent?productId=WG-1111
> 2) set the content of the field labeled "Large Image" to:
> non_existent.foo" onerror="alert('Hi!');
> 3) visit the url:
> https://localhost:8443/ecommerce/control/product?product_id=WG-1111
> A popup message will appear with the "Hi!".
> Thanks to Loris Nardo for the report.

This message was sent by Atlassian JIRA

Reply via email to