[ http://issues.apache.org/jira/browse/OFBIZ-178?page=comments#action_12430168 ] Eriks Dobelis commented on OFBIZ-178: -------------------------------------
Jacque, are you using latest version with demo data? Si, HTML text coming from the client should be checked to contain only those HTML tags which should be explicitely allowed (e.g. <strong> is one such tag). In all the other tags symbols like <, >, ', " should be for security reasons changed to their HTML representaion (< >). Basically the same operations that whizzywig.js does on the client side regarding symbol filtering should be performed also on the server side. Regarding hidden fields, the most clean approach would be to send to the client side only session ID (in cookie or hidden field) and to store all other data on the server side. Otherwise, the effect of manipulating all the hidden field values should be analyzed. If those are values which the client should be able to change then it is ok, but I am quite sure that client should not be able to change values of dataResourceTypeId, contentTypeId. > Cross site scripting vulnerability in Forum > ------------------------------------------- > > Key: OFBIZ-178 > URL: http://issues.apache.org/jira/browse/OFBIZ-178 > Project: OFBiz (The Open for Business Project) > Issue Type: Bug > Components: ecommerce > Reporter: Eriks Dobelis > > Currently HTML tags are filtered from forum messages by client side > javascript (whyzzywig.js). If JavaScript is turned off (or local webproxy is > used to filter or change the script), then user can post a forum message > containing any HTML code, including <script> tags, e.g. > <script>alert('test');</script> > This is classic cross site scripting problem with all the consequences (e.g. > writing scripts to steal active cookies). > Also, currently a lot is supplied as hidden fields, which probably means that > user could change that text. I have not checked that, but as there are fields > like dataResourceTypeId, contentTypeId then probably user can create any type > of content. > <input type="hidden" name="VIEW_INDEX"/> > <input type="hidden" name="threadView"/> > <input type="hidden" name="forumGroupId"/> > <input type="hidden" name="dataResourceTypeId" value="ELECTRONIC_TEXT"/> > <input type="hidden" name="forumId" value="ASK"/> > <input type="hidden" name="contentName" value="New thread/message/response"/> > <input type="hidden" name="contentTypeId" value="DOCUMENT"/> > <input type="hidden" name="ownerContentId" value="ASK"/> > <input type="hidden" name="contentIdTo" value="10007"/> > <input type="hidden" name="contentAssocTypeId" value="RESPONSE"/> -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
