html code is not sanitized in all the text input field
------------------------------------------------------
Key: OFBIZ-1193
URL: https://issues.apache.org/jira/browse/OFBIZ-1193
Project: OFBiz
Issue Type: Bug
Affects Versions: SVN trunk
Environment: any environment
Reporter: Vikrant Rathore
Priority: Blocker
This a very critical bug in ofbiz you can put in any html text including script
or iframe tags in the input field for address update or customer name update
i.e. any text field in ofbiz.
Its a major security issue for all the ofbiz installation since the text in the
input text field is not sanitized.
below is small source code of the page where a script in the demo store for
DemoCustomer profile which just pops up an alert box.
<tr>
<td width="26%" align="right" valign="top"><div class="tabletext">Address
Line 1</div></td>
<td width="5"> </td>
<td width="74%">
<input type="text" class='inputBox' size="30" maxlength="30"
name="address1" value=""/><script>alert("a")</script>">
*</td>
</tr>
<tr>
Along with this attached the screenshot you can try the demo on ofbiz ecommerce
store on the ofbiz website and use DemoCustomer profile you will see the same
screenshot.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
