[jira] Commented: (OFBIZ-178) Cross site scripting vulnerability in Forum

Thu, 24 Aug 2006 16:43:23 -0700 

    [ 
http://issues.apache.org/jira/browse/OFBIZ-178?page=comments#action_12430332 ] 
            
Si Chen commented on OFBIZ-178:
-------------------------------

So are you saying that createDataResource or whatever it is that is storing the 
html content should filter out script tags?

> Cross site scripting vulnerability in Forum
> -------------------------------------------
>
>                 Key: OFBIZ-178
>                 URL: http://issues.apache.org/jira/browse/OFBIZ-178
>             Project: OFBiz (The Open for Business Project)
>          Issue Type: Bug
>          Components: ecommerce
>            Reporter: Eriks Dobelis
>
> Currently HTML tags are filtered from forum messages by client side 
> javascript (whyzzywig.js). If JavaScript is turned off (or local webproxy is 
> used to filter or change the script), then user can post a forum message 
> containing any HTML code, including <script> tags, e.g. 
> <script>alert('test');</script>
> This is classic cross site scripting problem with all the consequences (e.g. 
> writing scripts to steal active cookies).
> Also, currently a lot is supplied as hidden fields, which probably means that 
> user could change that text. I have not checked that, but as there are fields 
> like dataResourceTypeId, contentTypeId then probably user can create any type 
> of content.
> <input type="hidden" name="VIEW_INDEX"/>
> <input type="hidden" name="threadView"/>
> <input type="hidden" name="forumGroupId"/>
> <input type="hidden" name="dataResourceTypeId" value="ELECTRONIC_TEXT"/>
> <input type="hidden" name="forumId" value="ASK"/>
> <input type="hidden" name="contentName" value="New thread/message/response"/>
> <input type="hidden" name="contentTypeId" value="DOCUMENT"/>
> <input type="hidden" name="ownerContentId" value="ASK"/>
> <input type="hidden" name="contentIdTo" value="10007"/>
> <input type="hidden" name="contentAssocTypeId" value="RESPONSE"/>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to