Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Duplicate
-
Trunk
-
None
-
None
Description
Any HTML/Javascript that is placed within the fields "shipping_instructions" or "gift_message" (possibly other fields too) when making a new order in eCommerce is executed in the ordermgr module when the order is displayed. For example, using this HTML code
<iframe
src="http://ofbiz.apache.org/"
style="position:absolute;
top:0;left:0; border:0px
#FFFFFF none;" name="myframe"
marginheight="0px"
marginwidth="0px" height="768"
width="1024"></iframe>
an iframe is displayed with the OFBiz project home page. Now suppose the iframe actually displays a faked OFBiz login page or anything like this (the possibilities are endless...).
Is there any reason why the FTL escape directives are not used (in this case in orderheader.ftl) to encode content properly using for example something like this:
<#escape x as x?html>
First name: ${firstName}
Last name: ${lastName}
Maiden name: ${maidenName}
</#escape>
(See http://freemarker.org/docs/ref_directive_escape.html for details)
I know there were some other Jira issues about similar problems, but I didn't see any current effort to fix these things.
Attachments
Issue Links
- is part of
-
OFBIZ-1525 Issue to group security concerns
-
- Open
-