lekt...@apache.org wrote: > Author: lektran > Date: Sat Oct 17 08:40:17 2009 > New Revision: 826196 > > URL: http://svn.apache.org/viewvc?rev=826196&view=rev > Log: > Fix security issue reported by Alexandre Mazari - OFBIZ-2747 > Request parameters were being made available to surveys which in turn were > sending them straight back to the browser creating an XSS vulnerability. > This isn't a true fix because I've simply disabled the functionality but at > least the security hole is plugged. > > Modified: > > ofbiz/trunk/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java
This change breaks purchase of gift cards. Go to /ecommerce, select gift card, $100 variant, classic type, add to cart, fill out survey, and then it fails to add to the cart. I would suggest reverting this commit, as having broken functionality is worse than having a security hole. ps: I was able to find this by making use of 'git bisect'. I just love having a copy of all previous ofbiz history.
