[ofbiz-framework] branch trunk updated: Improved: Reflected XSS in content component (OFBIZ-11840)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 07cb19c  Improved: Reflected XSS in content component (OFBIZ-11840)
07cb19c is described below

commit 07cb19c0b1d7a2ea21aeb1efef44a537f24f2090
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Wed Nov 11 20:30:11 2020 +0100

    Improved: Reflected XSS in content component (OFBIZ-11840)
   
    Adds some more case and explains things better, no backport
---
 .../org/apache/ofbiz/content/data/DataEvents.java    | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataEvents.java b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataEvents.java
index 23fb069..1a91686 100644
--- a/applications/content/src/main/java/org/apache/ofbiz/content/data/DataEvents.java
+++ b/applications/content/src/main/java/org/apache/ofbiz/content/data/DataEvents.java
@@ -83,10 +83,22 @@ public class DataEvents {
         String permissionService = EntityUtilProperties.getPropertyValue("content", "stream.permission.service",
                 "genericContentPermission", delegator);
 
-        // This is counterintuitive but it works, for OFBIZ-11840
-        // It could be improved by checking for possible events associated with svg
-        // As listed at https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
-        if (contentId.contains("<svg")) {
+        // @formatter:off (prevent unwanted formatting in Eclipse)
+        // For OFBIZ-11840. It's counterintuitive to return success but it makes sense if you thing about it. It simply returns a blank screen.
+        // To illustrate, only few payloads, onLoad related, are handled because it works everytime.
+        // It could be improved by checking for all payloads.
+        // As listed at https://portswigger.net/web-security/cross-site-scripting/cheat-sheet, at 2020-11-11 there are 8979 of them.
+        // So a way could be to read all of them and test...
+        // @formatter:on
+
+        if (contentId.toLowerCase().contains("<svg")
+                || contentId.toLowerCase().contains("<body")
+                || contentId.toLowerCase().contains("<iframe")
+                || contentId.toLowerCase().contains("<object")
+                || contentId.toLowerCase().contains("<embed")
+                || contentId.toLowerCase().contains("<a href='javas")
+                || contentId.toLowerCase().contains("<a href=\"javas")
+                || contentId.toLowerCase().contains("<script")) {
             return "success";
         }