[ http://issues.apache.org/jira/browse/OFBIZ-260?page=comments#action_12438689 ] Eriks Dobelis commented on OFBIZ-260: -------------------------------------
Great addition, Jacques! I suggest that there should be a parameter allowedTags or something like that. It would be a list of tags which are allowed and should not be replaced. So we could pass list like "b","i" and <b></b><i></i> would be left as they are, but all the other < and > would be replaced. Important question is: what should call this method? What do you think about creating a filter in web.xml to parse user input? Or for now we should just call this method in cases where we have identified the problem, and create the global filter later? > Cross Site Scripting Vulnerability (XSS) > ---------------------------------------- > > Key: OFBIZ-260 > URL: http://issues.apache.org/jira/browse/OFBIZ-260 > Project: OFBiz (The Open for Business Project) > Issue Type: Bug > Components: ecommerce > Affects Versions: SVN trunk > Reporter: Marco Risaliti > > It's a copy of http://jira.undersunconsulting.com/browse/OFBIZ-559 from > Olivier Lietz. > =========================================================== > *Very* simple test: > /ecommerce/control/keywordsearch?SEARCH_STRING=<script>alert("XSS");</script> > Other components beside ecommerce are also affected. > -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
