[
https://issues.apache.org/jira/browse/OFBIZ-10054?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16836323#comment-16836323
]
Jacques Le Roux commented on OFBIZ-10054:
-----------------------------------------
See my last comment about AntiSamy API in OFBIZ-10187. It clarifies that we
still prefer to use https://github.com/OWASP/java-html-sanitizer
> Product content management screen doesn't validate trusted users' input
> -----------------------------------------------------------------------
>
> Key: OFBIZ-10054
> URL: https://issues.apache.org/jira/browse/OFBIZ-10054
> Project: OFBiz
> Issue Type: Bug
> Components: product
> Affects Versions: Trunk, Release Branch 16.11
> Reporter: Jacopo Cappellato
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 17.12.01, 16.11.06, 18.12.01
>
>
> Steps to recreate:
> 1) go to (authenticate with admin/ofbiz):
> https://localhost:8443/catalog/control/EditProductContent?productId=WG-1111
> 2) set the content of the field labeled "Large Image" to:
> non_existent.foo" onerror="alert('Hi!');
> 3) visit the url:
> https://localhost:8443/ecommerce/control/product?product_id=WG-1111
> A popup message will appear with the "Hi!".
> Thanks to Loris Nardo for the report.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
