[
https://issues.apache.org/jira/browse/OFBIZ-6506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14614415#comment-14614415
]
Jacques Le Roux commented on OFBIZ-6506:
----------------------------------------
Could you provide a case to reproduce the initial XSS issue? I tried this:
in a groovy file called by a screen widget
{code}
context.test = "<script>alert('alert')</script>"
{code}
in the screen widget
{code}
<set field="parameters.test" from-field="test"/>
{code}
in the form called by the screen:
{code}
<field name="test"><display/></field>
{code}
I got no js alert popup but this in HTML source:
{code}
<label for="form_test" id="form_test_title">Test</label> </td>
<td colspan="7">
<script>alert('alert')</script>
</td>
{code}
So as you see the data is escaped before being rendered.
There is a reproducible case and it's
{code}
<field name="test"><display
default-value="<script>alert('alert')</script>"/></field>
{code}
But this is really shooting oneself in the foot only for the fun of it.
If you like to shoot yourself in the foot there is another way by using the
same process than above but adding encode-output="false" in the form widget
{code}
<field name="test" encode-output="false"><display/></field>
{code}
Please let us know your concern and how to reproduce, else in a week, I will
close this issue and the Stackoverflows as invalid .
> XSS vulnerability in OFBiz forms and screens especially in display-entity
> component
> -----------------------------------------------------------------------------------
>
> Key: OFBIZ-6506
> URL: https://issues.apache.org/jira/browse/OFBIZ-6506
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
> Reporter: Lilian Iatco
> Labels: display, entity, form, ofbiz, screen, vulnerability, xss
>
> In Ofbiz form need to escape characters from description column in a
> display-entity tag to avoid XSS attacks.
> <display-entity entity-name="Table" description="${description}" >
> I tried to use bsh, as following:
> <display-entity entity-name="Table" description="${bsh:
> org.apache.commons.lang.StringEscapeUtils.escapeHtml("${description}")}">
> But I get this error:
> Error rendering screen
> [component://my/widget/CommonScreens.xml#GlobalDecorator]:
> java.lang.IllegalStateException: This object has been flagged as immutable
> (unchangeable), probably because it came from an Entity Engine cache. Cannot
> set a value in an immutable entity object.
> (This object has been flagged as immutable (unchangeable), probably because
> it came from an Entity Engine cache. Cannot set a value in an immutable
> entity object.)
> Also you can see here a similar issue:
> http://stackoverflow.com/questions/30097370/how-to-escape-characters-in-ofbiz-widget
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
