Xin Wang created OFBIZ-12254: -------------------------------- Summary: XSS vulnerability for ListWorkEfforts form Key: OFBIZ-12254 URL: https://issues.apache.org/jira/browse/OFBIZ-12254 Project: OFBiz Issue Type: Bug Affects Versions: Trunk Reporter: Xin Wang
If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be vulnerable to XSS attack, because of incomplete escaping. Steps to reproduce: 1. Turn off `sanitizer.enable` in owasp.properties 2. Create a WorkEffort entity with name as `<script>alert(1)</script>` 3. Go to page: http://localhost:8080/workeffort/control/FindWorkEffort 4. Search for "Work Effort Name" which contains "script" -- This message was sent by Atlassian Jira (v8.3.4#803005)