[
https://issues.apache.org/jira/browse/OFBIZ-6506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14623383#comment-14623383 ]
Jacques Le Roux commented on OFBIZ-6506:
----------------------------------------
I don't see what you are chasing. If I put
{code}
?productId=<script>alert('alert')</script>
{code}
after an URL, and use
{code}
<field name="productId" tooltip="${uiLabelMap.ProductId} [${productId}]"><text size="20" maxlength="20"/></field>
{code}
in a form, after passing the partyId value from a screen with
{code}
<set field="productId" from-field="parameters.productId"/>
{code}
This is what I get on screen !Tooltip no XSS issue.png!
And this is what I see in the HTML source
{code}
<input type="text" name="productId" value="<script>alert('alert')</script>" size="20" maxlength="20" id="addSmsContactPerson_productId" /><script language="JavaScript" type="text/javascript">ajaxAutoCompleter('', false, 2, 300);</script>
<span class="tooltip">Product Id [<script>alert('alert')</script>]</span>
{code}
Of course, same when using your example, which is in no way a mean to show an XSS issue. A JavaScript must be actionable, I think I was pretty clear with the examples I gave above.
{code}
<input type="text" name="productId" value="<font color=red>XSS</font>" size="20" maxlength="20" id="formName_productId"/><script language="JavaScript" type="text/javascript">ajaxAutoCompleter('', false, 2, 300);</script>
<span class="tooltip">Product Id [<font color=red>XSS</font>]</span>
{code}
So it's now clear to me that this does not show an XSS vulnerability and I close this issue as invalid.
A last question though, which version are you using? I used the trunk HEAD but normally none of the supported versions have XSS vulnerabilities. All known so far have been fixed months ago, see the "Security Vulnerabilities" section at the bottom of
http://ofbiz.apache.org/download.html. Last being fixed for almost a year.
> XSS vulnerability in OFBiz forms and screens especially in display-entity component
> -----------------------------------------------------------------------------------
>
> Key: OFBIZ-6506
> URL:
https://issues.apache.org/jira/browse/OFBIZ-6506> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
> Reporter: Lilian Iatco
> Assignee: Jacques Le Roux
> Labels: display, entity, form, ofbiz, screen, vulnerability, xss
> Attachments: Tooltip no XSS issue.png
>
>
> In Ofbiz form need to escape characters from description column in a display-entity tag to avoid XSS attacks.
> {code}<display-entity entity-name="Table" description="${description}" >{code}
> I tried to use bsh, as following:
> {code}<display-entity entity-name="Table" description="${bsh: org.apache.commons.lang.StringEscapeUtils.escapeHtml("${description}")}">{code}
> But I get this error:
> {code}
> Error rendering screen [component://my/widget/CommonScreens.xml#GlobalDecorator]: java.lang.IllegalStateException: This object has been flagged as immutable (unchangeable), probably because it came from an Entity Engine cache. Cannot set a value in an immutable entity object.
> (This object has been flagged as immutable (unchangeable), probably because it came from an Entity Engine cache. Cannot set a value in an immutable entity object.)
> {code}
> PS:
> Also you can see here a similar issue:
>
http://stackoverflow.com/questions/30097370/how-to-escape-characters-in-ofbiz-widget--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Locked
