Jacopo Cappellato created OFBIZ-10054:
-----------------------------------------
Summary: Product content management screen doesn't validate trusted users' input
Key: OFBIZ-10054
URL:
https://issues.apache.org/jira/browse/OFBIZ-10054 Project: OFBiz
Issue Type: Improvement
Components: product
Affects Versions: Release Branch 16.11, Trunk
Reporter: Jacopo Cappellato
Steps to recreate:
1) go to (authenticate with admin/ofbiz):
https://localhost:8443/catalog/control/EditProductContent?productId=WG-11112) set the content of the field labeled "Large Image" to:
non_existent.foo" onerror="alert('Hi!');
3) visit the url:
https://localhost:8443/ecommerce/control/product?product_id=WG-1111A popup message will appear with the "Hi!".
Thanks to Loris Nardo for the report.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
Locked
