[ https://issues.apache.org/jira/browse/OFBIZ-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Marco Risaliti updated OFBIZ-1193: ---------------------------------- Component/s: framework ecommerce Fix Version/s: SVN trunk > html code is not sanitized in all the text input field > ------------------------------------------------------ > > Key: OFBIZ-1193 > URL: https://issues.apache.org/jira/browse/OFBIZ-1193 > Project: OFBiz > Issue Type: Improvement > Components: ecommerce, framework > Affects Versions: SVN trunk > Environment: any environment > Reporter: Vikrant Rathore > Fix For: SVN trunk > > Attachments: error screenshot.jpg, ofbiz-1193-logins.patch, > ofbiz-1193-messages_ftl.patch, ofbiz-1193-webtools_entity.patch > > > This a very critical bug in ofbiz you can put in any html text including > script or iframe tags in the input field for address update or customer name > update i.e. any text field in ofbiz. > Its a major security issue for all the ofbiz installation since the text in > the input text field is not sanitized. > below is small source code of the page where a script in the demo store for > DemoCustomer profile which just pops up an alert box. > <tr> > <td width="26%" align="right" valign="top"><div > class="tabletext">Address Line 1</div></td> > <td width="5"> </td> > <td width="74%"> > <input type="text" class='inputBox' size="30" maxlength="30" > name="address1" value=""/><script>alert("a")</script>"> > *</td> > </tr> > <tr> > Along with this attached the screenshot you can try the demo on ofbiz > ecommerce store on the ofbiz website and use DemoCustomer profile you will > see the same screenshot. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.