[OFBIZ-6506] XSS vulnerability in OFBiz forms and screens especially in display-entity component - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 14.12.01, 12.04.06, 15.12.01, 13.07.04
Component/s: ALL COMPONENTS
Labels:
- CVE
- display
- entity
- form
- ofbiz
- screen
- vulnerability
- xss

Flags:

Important
External issue URL:
http://stackoverflow.com/questions/30708500/how-to-escape-characters-in-ofbiz-display-entity-xss-in-ofbiz
Sprint:
Bug Crush Event - 21/2/2015

Description

In Ofbiz form need to escape characters from description column in a display-entity tag to avoid XSS attacks.

<display-entity entity-name="Table" description="${description}" >

I tried to use bsh, as following:

<display-entity entity-name="Table" description="${bsh: org.apache.commons.lang.StringEscapeUtils.escapeHtml(&quot;${description}&quot;)}">

But I get this error:

Error rendering screen [component://my/widget/CommonScreens.xml#GlobalDecorator]: java.lang.IllegalStateException: This object has been flagged as immutable (unchangeable), probably because it came from an Entity Engine cache. Cannot set a value in an immutable entity object. 
(This object has been flagged as immutable (unchangeable), probably because it came from an Entity Engine cache. Cannot set a value in an immutable entity object.)

PS:
Also you can see here a similar issue:
http://stackoverflow.com/questions/30097370/how-to-escape-characters-in-ofbiz-widget

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

Tooltip no XSS issue.png
11/Jul/15 13:02
3 kB
Jacques Le Roux

Activity

People

Assignee:: Jacques Le Roux

Reporter:: Lilian Iatco

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 16/Jun/15 08:44

Updated:: 17/Dec/16 09:30

Resolved:: 06/Apr/16 10:46