Log Message: |
I found a possible XSS attack through ProductContentWrapper.java.getProductContentAsText() which is notably used in several FTL files. This exists also in others *ContentWrapper.java.
Note that in supported releases it's hard to exploit, it's a Stored XSS https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting which means you need 1st to somehow inject exploiting code in the DB.
This fixes it by changing the ContentWrapper interface
from
public interface ContentWrapper {
public StringUtil.StringWrapper get(String contentTypeId);
}
to
public interface ContentWrapper {
public StringUtil.StringWrapper get(String contentTypeId, String encoderType) {
}
And changing the Category, Party, Product, ProductPromo and WorkEffort ContentWrapperS accordingly. This means to use 2 types of encoderTypes: "html" and "url".
The "html" encoderType will be used for all ProductContentTypes but those who contain URL in their ContentTypeIdS (actually end with, "_URL") which will use "url" encoderType.
It concerns not only the get() method but also methods like getPartyContentAsText(), getProductContentAsText(), etc.
It seems a big change but it's straightforward. It's normally complete.
There are some (unrelated) tabs replaced by spaces here and there, and few trailing spaces removed but nothing big
|