[
https://issues.apache.org/jira/browse/OFBIZ-5847?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux closed OFBIZ-5847.
----------------------------------
Resolution: Fixed
Assignee: Nicolas Malin
Indeed the issue comes from the ESAPI lib, when we use GET style URL parameters in screens/forms links instead of POST style as Nicolas fixed 3 cases.
I made a review, we have 51 target*& occurences OOTB
* The <form ... target > links are not concerned (see edit budget item for instance)
* Nor the <hyperlink target> links (see systems notes for instance)
* Nor <hyperlink target> links (see ListProductStoreFacility, but not in trunk due to OFBIZ-6051)
* Nor <on-event-update-area area-target> links (see ListProductStoreFacility EditProductStoreFacility)
So it seems only the <link target> links are concerned and moreover hopefully maybe only in menus. We have no longer any of them OOTB. So at least OFBiz is ok .
I will close this issue, this can no lnoger appear in new and custom code, because the new ESAPI implemtation now throws a
{code}
org.ofbiz.base.util.UtilCodec$IntrusionException: Input validation failure
{code}
in such cases (jus try to revert r1637716 in trunk)
Happy end :)
> If define the & and combine with "part" that encode to ∂
> ------------------------------------------------------------
>
> Key: OFBIZ-5847
> URL:
https://issues.apache.org/jira/browse/OFBIZ-5847> Project: OFBiz
> Issue Type: Bug
> Components: ALL APPLICATIONS
> Affects Versions: Trunk
> Reporter: Supachai Chaima-ngua
> Assignee: Nicolas Malin
> Labels: encode, url
> Fix For: 12.04.06, 13.07.02, Trunk
>
> Attachments: OFBIZ-5847.patch, OFBiz WorkEffort Manager Calendar.png
>
>
> XML widget problems: If define the & and combine with "part" that encode to ∂
> Example >>>
> BEFORE: viewprofile?status=Y&partyId=Demo
> AFTER: viewprofile?status=Y∂yId=Demo
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Locked
