Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-1193

html code is not sanitized in all the text input field

    XMLWordPrintableJSON

    Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Trunk
    • Fix Version/s: Trunk
    • Component/s: ecommerce, framework
    • Labels:
      None
    • Environment:

      any environment

    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      This a very critical bug in ofbiz you can put in any html text including script or iframe tags in the input field for address update or customer name update i.e. any text field in ofbiz.

      Its a major security issue for all the ofbiz installation since the text in the input text field is not sanitized.

      below is small source code of the page where a script in the demo store for DemoCustomer profile which just pops up an alert box.

      <tr>
      <td width="26%" align="right" valign="top"><div class="tabletext">Address Line 1</div></td>
      <td width="5"> </td>
      <td width="74%">
      <input type="text" class='inputBox' size="30" maxlength="30" name="address1" value=""/><script>alert("a")</script>">
      *</td>

      </tr>
      <tr>
      Along with this attached the screenshot you can try the demo on ofbiz ecommerce store on the ofbiz website and use DemoCustomer profile you will see the same screenshot.

        Attachments

        1. ofbiz-1193-webtools_entity.patch
          11 kB
          Wickersheimer Jeremy
        2. ofbiz-1193-messages_ftl.patch
          2 kB
          Wickersheimer Jeremy
        3. ofbiz-1193-logins.patch
          0.2 kB
          Wickersheimer Jeremy
        4. error screenshot.jpg
          168 kB
          Vikrant Rathore

          Issue Links

            Activity

              People

              • Assignee:
                jonesde David E. Jones
                Reporter:
                vikrant Vikrant Rathore
              • Votes:
                3 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: