[ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12518719 ]
Jacques Le Roux commented on OFBIZ-1193: ---------------------------------------- This (or something similar) has already been reported and discussed in other issues : OFBIZ-178 and OFBIZ-260. Nobody since then has proved any threats at the server level, or implemented a solution( some have been suggested)... This does not meant that we should not look at it, but I agree with Jacopo : it's not in any way a blocker ! > html code is not sanitized in all the text input field > ------------------------------------------------------ > > Key: OFBIZ-1193 > URL: https://issues.apache.org/jira/browse/OFBIZ-1193 > Project: OFBiz > Issue Type: Bug > Affects Versions: SVN trunk > Environment: any environment > Reporter: Vikrant Rathore > Attachments: error screenshot.jpg > > > This a very critical bug in ofbiz you can put in any html text including > script or iframe tags in the input field for address update or customer name > update i.e. any text field in ofbiz. > Its a major security issue for all the ofbiz installation since the text in > the input text field is not sanitized. > below is small source code of the page where a script in the demo store for > DemoCustomer profile which just pops up an alert box. > <tr> > <td width="26%" align="right" valign="top"><div > class="tabletext">Address Line 1</div></td> > <td width="5"> </td> > <td width="74%"> > <input type="text" class='inputBox' size="30" maxlength="30" > name="address1" value=""/><script>alert("a")</script>"> > *</td> > </tr> > <tr> > Along with this attached the screenshot you can try the demo on ofbiz > ecommerce store on the ofbiz website and use DemoCustomer profile you will > see the same screenshot. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.