svn commit: r826196 - /ofbiz/trunk/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java

Author: lektran
Date: Sat Oct 17 08:40:17 2009
New Revision: 826196

URL: http://svn.apache.org/viewvc?rev=826196&view=rev
Log:
Fix security issue reported by Alexandre Mazari - OFBIZ-2747
Request parameters were being made available to surveys which in turn were sending them straight back to the browser creating an XSS vulnerability.
This isn't a true fix because I've simply disabled the functionality but at least the security hole is plugged.

Modified:
    ofbiz/trunk/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java

Modified: ofbiz/trunk/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java?rev=826196&r1=826195&r2=826196&view=diff
==============================================================================
--- ofbiz/trunk/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java (original)
+++ ofbiz/trunk/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java Sat Oct 17 08:40:17 2009
@@ -101,10 +101,13 @@
      * @param passThru
      */
     public void setPassThru(Map passThru) {
+        /* Creates an XSS vulnerability, by passing incoming parameters straight back out to the browser
+         * commented until someone decides either cleanse the parameters or find an alternative solution
         if (passThru != null) {
             this.passThru = FastMap.newInstance();
             this.passThru.putAll(passThru);
         }
+        */
     }
 
     /**