Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-11006

Create customer request screen breaks when entering special characters (CVE-2019-10074)

    XMLWordPrintableJSON

    Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Release Branch 13.07, Release Branch 14.12, Release Branch 15.12, Release Branch 16.11, Release Branch 18.12, Release Branch 17.12
    • Fix Version/s: 16.11.06, 18.12.01, 17.12.01
    • Component/s: order
    • Labels:
      None
    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      For some reason the Create Customer Request form (component://order/widget/ordermgr/CustRequestForms.xml) doesn't encode the output of the "story" field. This breaks the screen when certain html or freemarker special characters are entered into the field.

      I don't see any good reason why this field in particular shouldn't be using encoding so I'm going to enable it again.

        Attachments

          Activity

            People

            • Assignee:
              lektran Scott Gray
              Reporter:
              lektran Scott Gray
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: