svn commit: r826201 - /ofbiz/branches/release09.04/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java

Author: lektran
Date: Sat Oct 17 08:53:01 2009
New Revision: 826201

URL: http://svn.apache.org/viewvc?rev=826201&view=rev
Log:
Merged from trunk r826196
Fix security issue reported by Alexandre Mazari - OFBIZ-2747
Request parameters were being made available to surveys which in turn were sending them straight back to the browser creating an XSS vulnerability.
This isn't a true fix because I've simply disabled the functionality but at least the security hole is plugged.

Modified:
    ofbiz/branches/release09.04/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java

Modified: ofbiz/branches/release09.04/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java
URL: http://svn.apache.org/viewvc/ofbiz/branches/release09.04/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java?rev=826201&r1=826200&r2=826201&view=diff
==============================================================================
--- ofbiz/branches/release09.04/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java (original)
+++ ofbiz/branches/release09.04/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java Sat Oct 17 08:53:01 2009
@@ -101,10 +101,13 @@
      * @param passThru
      */
     public void setPassThru(Map passThru) {
+        /* Creates an XSS vulnerability, by passing incoming parameters straight back out to the browser
+         * commented until someone decides either cleanse the parameters or find an alternative solution
         if (passThru != null) {
             this.passThru = FastMap.newInstance();
             this.passThru.putAll(passThru);
         }
+        */
     }
 
     /**