[OFBIZ-1193] html code is not sanitized in all the text input field - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: Trunk
Fix Version/s: Trunk
Component/s: ecommerce, framework
Labels:
None
Environment:

any environment

Sprint:
Bug Crush Event - 21/2/2015

Description

This a very critical bug in ofbiz you can put in any html text including script or iframe tags in the input field for address update or customer name update i.e. any text field in ofbiz.

Its a major security issue for all the ofbiz installation since the text in the input text field is not sanitized.

below is small source code of the page where a script in the demo store for DemoCustomer profile which just pops up an alert box.

<tr>
<td width="26%" align="right" valign="top"><div class="tabletext">Address Line 1</div></td>
<td width="5"> </td>
<td width="74%">
<input type="text" class='inputBox' size="30" maxlength="30" name="address1" value=""/><script>alert("a")</script>">
*</td>

</tr>
<tr>
Along with this attached the screenshot you can try the demo on ofbiz ecommerce store on the ofbiz website and use DemoCustomer profile you will see the same screenshot.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

error screenshot.jpg
09/Aug/07 13:08
168 kB
Vikrant Rathore
ofbiz-1193-messages_ftl.patch
15/Aug/07 05:25
2 kB
Wickersheimer Jeremy
ofbiz-1193-webtools_entity.patch
15/Aug/07 07:46
11 kB
Wickersheimer Jeremy
ofbiz-1193-logins.patch
16/Aug/07 03:49
0.2 kB
Wickersheimer Jeremy

Issue Links

is part of

OFBIZ-1525 Issue to group security concerns

Open

relates to

OFBIZ-178 Cross site scripting vulnerability in Forum

Closed

OFBIZ-260 Cross Site Scripting Vulnerability (XSS)

Closed

Activity

People

Assignee:: David E. Jones

Reporter:: Vikrant Rathore

Votes:: 3 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 09/Aug/07 13:05

Updated:: 24/Mar/21 10:10

Resolved:: 14/Feb/09 07:29