[jira] [Commented] (OFBIZ-12147) Allow Unsafe Message

Jacques Le Roux (Jira) Wed, 20 Jan 2021 07:32:05 -0800


    [ 
https://issues.apache.org/jira/browse/OFBIZ-12147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17268646#comment-17268646
 ]


Jacques Le Roux commented on OFBIZ-12147:
-----------------------------------------

Hi James,

I could be wrong but I see no reasons to fear a security issue with this 
change, +1

> Allow Unsafe Message
> --------------------
>
>                 Key: OFBIZ-12147
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12147
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: base
>    Affects Versions: Upcoming Branch
>            Reporter: James Yong
>            Assignee: James Yong
>            Priority: Minor
>             Fix For: Upcoming Branch
>
>         Attachments: OFBIZ-12147
>
>
> Currently, we can display flash message by setting in request attribute 
> "__EVENT_MESSAGE__".
>  Propose to add another request attribute i.e. "__UNSAFE_EVENT_MESSAGE__" for 
> messages that can contain inline javascript.
> One use case is to allow us to display last login timestamp with 
> browser-specific format.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (OFBIZ-12147) Allow Unsafe Message

Reply via email to