[
https://issues.apache.org/jira/browse/OFBIZ-178?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-178:
----------------------------------
Issue Type: Sub-task (was: Bug)
Parent: OFBIZ-1525
> Cross site scripting vulnerability in Forum
> -------------------------------------------
>
> Key: OFBIZ-178
> URL: https://issues.apache.org/jira/browse/OFBIZ-178
> Project: OFBiz
> Issue Type: Sub-task
> Components: specialpurpose/ecommerce
> Affects Versions: Trunk
> Reporter: Eriks Dobelis
> Assignee: David E. Jones
> Fix For: Trunk
>
>
> Currently HTML tags are filtered from forum messages by client side
> javascript (whyzzywig.js). If JavaScript is turned off (or local webproxy is
> used to filter or change the script), then user can post a forum message
> containing any HTML code, including <script> tags, e.g.
> <script>alert('test');</script>
> This is classic cross site scripting problem with all the consequences (e.g.
> writing scripts to steal active cookies).
> Also, currently a lot is supplied as hidden fields, which probably means that
> user could change that text. I have not checked that, but as there are fields
> like dataResourceTypeId, contentTypeId then probably user can create any type
> of content.
> <input type="hidden" name="VIEW_INDEX"/>
> <input type="hidden" name="threadView"/>
> <input type="hidden" name="forumGroupId"/>
> <input type="hidden" name="dataResourceTypeId" value="ELECTRONIC_TEXT"/>
> <input type="hidden" name="forumId" value="ASK"/>
> <input type="hidden" name="contentName" value="New thread/message/response"/>
> <input type="hidden" name="contentTypeId" value="DOCUMENT"/>
> <input type="hidden" name="ownerContentId" value="ASK"/>
> <input type="hidden" name="contentIdTo" value="10007"/>
> <input type="hidden" name="contentAssocTypeId" value="RESPONSE"/>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
