OFBiz OFBiz - Notifications

[jira] [Commented] (OFBIZ-12249) Unexpected decoding of url encoded textarea data after submission

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Nicolas Malin (Jira)
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (OFBIZ-12249) Unexpected decoding of url encoded textarea data after submission

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-12249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17359434#comment-17359434 ]

Xin Wang commented on OFBIZ-12249:
----------------------------------

Hi Jacques,

To make my opinion more clear, I have filed another issue OFBIZ-12254, which is related to a XSS vulnerability.

Although this vulnerability is only valid when `sanitizer.enable` is disabled. but the point is that we can escaping text properly to prevent that problem, without the help of sanitizer, as shown in the attached patch.

> Unexpected decoding of url encoded textarea data after submission
> ------------------------------------------------------------------
>
>                 Key: OFBIZ-12249
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12249
>             Project: OFBiz
>          Issue Type: Bug
>    Affects Versions: Trunk
>            Reporter: Xin Wang
>            Assignee: Jacques Le Roux
>            Priority: Major
>         Attachments: Image 005.png, Image 006.png, OFBIZ-12249.patch, OFBIZ-12249.patch
>
>
> When trying to add a note to WorkEffort entity, I found that url encoded characters are unescaped, which is not expected.
> e.g.:
> 1. Go to page: https://demo-trunk.ofbiz.apache.org/workeffort/control/EditWorkEffortNotes?workEffortId=TASK01
> 2. Add a note with content: https://example.com/a%20link
> 3. After submission, it will turned to be: https://example.com/a link
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Free forum by Nabble Edit this page