[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

XSS vulnerability in OFBiz forms

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: XSS vulnerability in OFBiz forms
From: lilian_iatco@xxxxxxxxx
Date: Wed, 15 Jul 2015 10:14:31 GMT

https://issues.apache.org/jira/browse/OFBIZ-6506

In Ofbiz form need to escape characters from description column in a 
display-entity tag to avoid XSS attacks.

<display-entity entity-name="Table" description="${description}" >

I tried to use bsh, as following:
<display-entity entity-name="Table" description="${bsh: 
org.apache.commons.lang.StringEscapeUtils.escapeHtml(&quot;${description}&quot;)}">

But I get this error:

Error rendering screen 
[component://my/widget/CommonScreens.xml#GlobalDecorator]: 
java.lang.IllegalStateException: This object has been flagged as immutable 
(unchangeable), probably because it came from an Entity Engine cache. Cannot 
set a value in an immutable entity object. 
(This object has been flagged as immutable (unchangeable), probably because it 
came from an Entity Engine cache. Cannot set a value in an immutable entity 
object.)

Prev by Date: [CVE-2015-2862/2863 / CERT VU#919604] Kaseya VSA arbitrary file download / open redirect
Next by Date: XSS, Code Execution, DOS, Password Leak, Weak Authentication in GetSimpleCMS 3.3.5
Previous by thread: [CVE-2015-2862/2863 / CERT VU#919604] Kaseya VSA arbitrary file download / open redirect
Next by thread: XSS, Code Execution, DOS, Password Leak, Weak Authentication in GetSimpleCMS 3.3.5
Index(es):
- Date
- Thread