Hi Sascha,
Looks good to me
Jacques
From: "Sascha Rodekamp" <sascha.rodekamp.lynx...@googlemail.com>
Jep you're right, but what he is talking about is the double Opt In for
Newsletter sign ups (You have to do this in germany).
It means, when you hab signed up for a newsletter you got a mail with a
verification link. Ofbiz generates this email but with a bunch of Get
parameters which is really a security issue.
So Mirko suggest to use only one hasCode which is translated internally.
This should minimize the risk of XSS and stuff.
2011/1/22 Jacques Le Roux <jacques.le.r...@les7arts.com>
Quick answer: are you using a get method with your action (I see these
parameters in the URL)? Because this is bad for XSS. We use hidden fields
with post. But maybe I completly missed the point ;o)
Jacques
From: "Sascha Rodekamp" <sascha.rodekamp.lynx...@googlemail.com>
The main issue we focused here, was the fromDate parameter in the URL.
fromDate=2011-01-13 10:46:32.952
It's really bad have a space in the URL isn't it?
2011/1/13 Mirko Vogelsmeier <mirko.vogelsme...@lynx.de>
Hi there,
ive been working on some basic newsletter-signup stuff with OptInCodes.
When accepting an OptInCode the user has to pass through 4 different
variables (OptInCode + 3 primary keys).
Other than this doesnt look nice at all for any given user it reveals
some
of our primary keys which has an impact on the security.
This is how my url looks like:
.../updateNewsletterStatus?contactListId=1000&partyId=10020&fromDate=2011-01-13
10:46:32.952&optInVerifyCode=9744644563
I thought about creating an entity with one primary key and 4 foreign
keys
(from above url).
The primary key could than be a hash value that is passed through by a
user.
What do you think about this idea?
Greetings,
Mirko
Mirko Vogelsmeier
Auszubildender Fachinformatiker AEW
Lynx-Consulting GmbH
Johanniskirchplatz 6
33615 Bielefeld
Deutschland
Fon: +49 521 5247-0
Fax: +49 521 5247-250
Mobil:
Company and Management Headquarters:
Lynx-Consulting GmbH, Johanniskirchplatz 6, 33615 Bielefeld, Deutschland
Fon: +49 521 5247-0, Fax: +49 521 5247-250, www.lynx.de
Court Registration: Amtsgericht Bielefeld HRB 35946
Chief Executive Officers: Karsten Noss, Dirk Osterkamp
----------------------------------------------------------------------------------------------------
This e-mail may contain trade secrets or privileged, undisclosed, or
otherwise confidential information. If you have received this e-mail in
error, you are hereby notified that any review, copying, or distribution
of
it is strictly prohibited. Please inform us immediately and destroy the
original transmittal. Thank you for your cooperation.
----------------------------------------------------------------------------------------------------
*****************************************************************************
--
Sascha Rodekamp
Lynx-Consulting GmbH
Johanniskirchplatz 6
D-33615 Bielefeld
http://www.lynx.de
--
Sascha Rodekamp
Lynx-Consulting GmbH
Johanniskirchplatz 6
D-33615 Bielefeld
http://www.lynx.de
