[jira] [Commented] (OFBIZ-12366) Fix OFBiz speficic Javascript securiy issues reported by GH CodeQL

Mon, 08 Nov 2021 04:16:32 -0800 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-12366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17440424#comment-17440424
 ] 

ASF subversion and git services commented on OFBIZ-12366:
---------------------------------------------------------

Commit dfc7ee40328b54339a03123bb10adf9a3bc1f74a in ofbiz-framework's branch 
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=dfc7ee4 ]

Improved: Fix OFBiz speficic Javascript securiy issues reported by GH CodeQL 
(OFBIZ-12366)

Fixes "A DOM text reinterpreted as HTML" issue in fieldlookup.js

GH CodeQL reports:
"A webpage with this vulnerability reads text from the DOM, and afterwards adds
the text as HTML to the DOM. Using text from the DOM as HTML effectively
unescapes the text, and thereby invalidates any escaping done on the text. If an
attacker is able to control the safe sanitized text, then this vulnerability can
be exploited to perform a cross-site scripting attack.

Recommendation
To guard against cross-site scripting, consider using contextual output
encoding/escaping before writing text to the page, or one of the other solutions
that are mentioned in the References section below.

Example
"Extracting text from a DOM node and interpreting it as HTML can lead to a
cross-site scripting vulnerability."

GH CodeQL suggest:
The above vulnerability can be fixed by using $.find instead of $. The $.find
function will only interpret target as a CSS selector and never as HTML,
thereby preventing an XSS attack.


> Fix OFBiz speficic Javascript securiy issues reported by GH CodeQL
> ------------------------------------------------------------------
>
>                 Key: OFBIZ-12366
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12366
>             Project: OFBiz
>          Issue Type: Improvement
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Minor
>
> Since we have no external security reports for those, it's only an 
> improvement but could be backported



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to