[
https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17307733#comment-17307733
]
sonny brown jr commented on OFBIZ-1193:
---------------------------------------
Yuk
> html code is not sanitized in all the text input field
> ------------------------------------------------------
>
> Key: OFBIZ-1193
> URL: https://issues.apache.org/jira/browse/OFBIZ-1193
> Project: OFBiz
> Issue Type: Sub-task
> Components: ecommerce, framework
> Affects Versions: Trunk
> Environment: any environment
> Reporter: Vikrant Rathore
> Assignee: David E. Jones
> Priority: Major
> Fix For: Trunk
>
> Attachments: error screenshot.jpg, ofbiz-1193-logins.patch,
> ofbiz-1193-messages_ftl.patch, ofbiz-1193-webtools_entity.patch
>
>
> This a very critical bug in ofbiz you can put in any html text including
> script or iframe tags in the input field for address update or customer name
> update i.e. any text field in ofbiz.
> Its a major security issue for all the ofbiz installation since the text in
> the input text field is not sanitized.
> below is small source code of the page where a script in the demo store for
> DemoCustomer profile which just pops up an alert box.
> <tr>
> <td width="26%" align="right" valign="top"><div
> class="tabletext">Address Line 1</div></td>
> <td width="5"> </td>
> <td width="74%">
> <input type="text" class='inputBox' size="30" maxlength="30"
> name="address1" value=""/><script>alert("a")</script>">
> *</td>
> </tr>
> <tr>
> Along with this attached the screenshot you can try the demo on ofbiz
> ecommerce store on the ofbiz website and use DemoCustomer profile you will
> see the same screenshot.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
