[ http://issues.apache.org/jira/browse/OFBIZ-178?page=comments#action_12430116 ] Si Chen commented on OFBIZ-178: -------------------------------
Eric, I see how it could be a problem -- so you're saying I could turn off my javascript, insert some malicious script, and then everybody else who comes to the forum screen later could then have their sessionId, etc. stolen by my JavaScript for session hijacking? How should we solve it then? We still need to use JS for the forum screens, as I'm sure a lot of websites do. Do you have any suggestions, or better still--a patch? :) The issue of the fields -- yes I agree, it's not very nice. There should be a wrapper field which sets all of these so that the amount in the HTML page should be kept to a minimum. > Cross site scripting vulnerability in Forum > ------------------------------------------- > > Key: OFBIZ-178 > URL: http://issues.apache.org/jira/browse/OFBIZ-178 > Project: OFBiz (The Open for Business Project) > Issue Type: Bug > Components: ecommerce > Reporter: Eriks Dobelis > > Currently HTML tags are filtered from forum messages by client side > javascript (whyzzywig.js). If JavaScript is turned off (or local webproxy is > used to filter or change the script), then user can post a forum message > containing any HTML code, including <script> tags, e.g. > <script>alert('test');</script> > This is classic cross site scripting problem with all the consequences (e.g. > writing scripts to steal active cookies). > Also, currently a lot is supplied as hidden fields, which probably means that > user could change that text. I have not checked that, but as there are fields > like dataResourceTypeId, contentTypeId then probably user can create any type > of content. > <input type="hidden" name="VIEW_INDEX"/> > <input type="hidden" name="threadView"/> > <input type="hidden" name="forumGroupId"/> > <input type="hidden" name="dataResourceTypeId" value="ELECTRONIC_TEXT"/> > <input type="hidden" name="forumId" value="ASK"/> > <input type="hidden" name="contentName" value="New thread/message/response"/> > <input type="hidden" name="contentTypeId" value="DOCUMENT"/> > <input type="hidden" name="ownerContentId" value="ASK"/> > <input type="hidden" name="contentIdTo" value="10007"/> > <input type="hidden" name="contentAssocTypeId" value="RESPONSE"/> -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
