[ https://issues.apache.org/jira/browse/OFBIZ-178?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux closed OFBIZ-178. --------------------------------- Resolution: Fixed Assignee: David E. Jones (was: Jacques Le Roux) Fixed by recent security efforts (though the message is not clear when trying to inject in forum body, title is ok (std input field vs content field) > Cross site scripting vulnerability in Forum > ------------------------------------------- > > Key: OFBIZ-178 > URL: https://issues.apache.org/jira/browse/OFBIZ-178 > Project: OFBiz > Issue Type: Bug > Components: ecommerce > Affects Versions: SVN trunk > Reporter: Eriks Dobelis > Assignee: David E. Jones > Fix For: SVN trunk > > > Currently HTML tags are filtered from forum messages by client side > javascript (whyzzywig.js). If JavaScript is turned off (or local webproxy is > used to filter or change the script), then user can post a forum message > containing any HTML code, including <script> tags, e.g. > <script>alert('test');</script> > This is classic cross site scripting problem with all the consequences (e.g. > writing scripts to steal active cookies). > Also, currently a lot is supplied as hidden fields, which probably means that > user could change that text. I have not checked that, but as there are fields > like dataResourceTypeId, contentTypeId then probably user can create any type > of content. > <input type="hidden" name="VIEW_INDEX"/> > <input type="hidden" name="threadView"/> > <input type="hidden" name="forumGroupId"/> > <input type="hidden" name="dataResourceTypeId" value="ELECTRONIC_TEXT"/> > <input type="hidden" name="forumId" value="ASK"/> > <input type="hidden" name="contentName" value="New thread/message/response"/> > <input type="hidden" name="contentTypeId" value="DOCUMENT"/> > <input type="hidden" name="ownerContentId" value="ASK"/> > <input type="hidden" name="contentIdTo" value="10007"/> > <input type="hidden" name="contentAssocTypeId" value="RESPONSE"/> -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.