[ http://issues.apache.org/jira/browse/OFBIZ-178?page=comments#action_12430286 ] Si Chen commented on OFBIZ-178: -------------------------------
Erik, I think then the filtering of HTML should be something to be fixed in whizzywyg.js and contributed back to them and then brought back into ofbiz. Maybe you should write them? I disagree with you about "the most clean approach would be to send to the client side only session ID (in cookie or hidden field) and to store all other data on the server side". I think the approach most consistent with the way ofbiz works would be to create a special service for managing forum postings which reuses the existing content services but with those fields embedded in them. The content manager services are fairly generic and probably meant to be used as foundation or building blocks for actual applications rather than directly hidden on html forms like this. > Cross site scripting vulnerability in Forum > ------------------------------------------- > > Key: OFBIZ-178 > URL: http://issues.apache.org/jira/browse/OFBIZ-178 > Project: OFBiz (The Open for Business Project) > Issue Type: Bug > Components: ecommerce > Reporter: Eriks Dobelis > > Currently HTML tags are filtered from forum messages by client side > javascript (whyzzywig.js). If JavaScript is turned off (or local webproxy is > used to filter or change the script), then user can post a forum message > containing any HTML code, including <script> tags, e.g. > <script>alert('test');</script> > This is classic cross site scripting problem with all the consequences (e.g. > writing scripts to steal active cookies). > Also, currently a lot is supplied as hidden fields, which probably means that > user could change that text. I have not checked that, but as there are fields > like dataResourceTypeId, contentTypeId then probably user can create any type > of content. > <input type="hidden" name="VIEW_INDEX"/> > <input type="hidden" name="threadView"/> > <input type="hidden" name="forumGroupId"/> > <input type="hidden" name="dataResourceTypeId" value="ELECTRONIC_TEXT"/> > <input type="hidden" name="forumId" value="ASK"/> > <input type="hidden" name="contentName" value="New thread/message/response"/> > <input type="hidden" name="contentTypeId" value="DOCUMENT"/> > <input type="hidden" name="ownerContentId" value="ASK"/> > <input type="hidden" name="contentIdTo" value="10007"/> > <input type="hidden" name="contentAssocTypeId" value="RESPONSE"/> -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
