[ http://issues.apache.org/jira/browse/OFBIZ-178?page=comments#action_12429994 ] Jacques Le Roux commented on OFBIZ-178: ---------------------------------------
Eriks, The js file is actually whizzywig.js. Using last svn, I tried to load a forum from eCommerce 1st page and I got this message : org.ofbiz.base.util.GeneralException: Error rendering screen [component://ecommerce/widget/ForumScreens.xml#Showforum]: java.lang.IllegalArgumentException: Error calling service with name performFindList: org.ofbiz.service.ServiceValidationException: The following required parameter is missing: [performFindList.listSize] (Error calling service with name performFindList: org.ofbiz.service.ServiceValidationException: The following required parameter is missing: [performFindList.listSize]) Please as I don't really need forums for now, might you take a look at this pb before ? TIA Jacques > Cross site scripting vulnerability in Forum > ------------------------------------------- > > Key: OFBIZ-178 > URL: http://issues.apache.org/jira/browse/OFBIZ-178 > Project: OFBiz (The Open for Business Project) > Issue Type: Bug > Components: ecommerce > Reporter: Eriks Dobelis > > Currently HTML tags are filtered from forum messages by client side > javascript (whyzzywig.js). If JavaScript is turned off (or local webproxy is > used to filter or change the script), then user can post a forum message > containing any HTML code, including <script> tags, e.g. > <script>alert('test');</script> > This is classic cross site scripting problem with all the consequences (e.g. > writing scripts to steal active cookies). > Also, currently a lot is supplied as hidden fields, which probably means that > user could change that text. I have not checked that, but as there are fields > like dataResourceTypeId, contentTypeId then probably user can create any type > of content. > <input type="hidden" name="VIEW_INDEX"/> > <input type="hidden" name="threadView"/> > <input type="hidden" name="forumGroupId"/> > <input type="hidden" name="dataResourceTypeId" value="ELECTRONIC_TEXT"/> > <input type="hidden" name="forumId" value="ASK"/> > <input type="hidden" name="contentName" value="New thread/message/response"/> > <input type="hidden" name="contentTypeId" value="DOCUMENT"/> > <input type="hidden" name="ownerContentId" value="ASK"/> > <input type="hidden" name="contentIdTo" value="10007"/> > <input type="hidden" name="contentAssocTypeId" value="RESPONSE"/> -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
