[ http://issues.apache.org/jira/browse/OFBIZ-260?page=comments#action_12438350 ] Eriks Dobelis commented on OFBIZ-260: -------------------------------------
I suggest we start with really cautious attitude here, and then in longer run remove restrictions when we are sure they are safe. So for the start I would suggest: In forum case - it is just a few tags that are allowed (like <i>,<b>, but not <img> and certainly <script>). All <,>, and better also ',",; which are not part of explicitely allowed tags should be changed to <,>, etc. <img> tag should not be allowed because it contains parameters which can be manipulated. There is nothing attacker can do with simple <i>. In search case it is simpler, because you should not allow any tags there at all and should replace all of these. Of course UTF-8 variations of the symbols should be analyzed and characters like 000060 should be converted to 60 before stripping. Speaking about potential implementation, a separate filter should be created and used in corresponding web.xml analyzing all POST and GET parameters supplied by user. The question is whether we can create a generic filter for all components or there should different ones because of different needs of different modules. > Cross Site Scripting Vulnerability (XSS) > ---------------------------------------- > > Key: OFBIZ-260 > URL: http://issues.apache.org/jira/browse/OFBIZ-260 > Project: OFBiz (The Open for Business Project) > Issue Type: Bug > Components: ecommerce > Affects Versions: SVN trunk > Reporter: Marco Risaliti > > It's a copy of http://jira.undersunconsulting.com/browse/OFBIZ-559 from > Olivier Lietz. > =========================================================== > *Very* simple test: > /ecommerce/control/keywordsearch?SEARCH_STRING=<script>alert("XSS");</script> > Other components beside ecommerce are also affected. > -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
