Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:32370
HistoryJul 27, 2015 - 12:00 a.m.

XSS vulnerability in OFBiz forms

2015-07-2700:00:00
vulners.com
34
JSON

https://issues.apache.org/jira/browse/OFBIZ-6506

In Ofbiz form need to escape characters from description column in a display-entity tag to avoid XSS attacks.

<display-entity entity-name="Table" description="${description}" >

I tried to use bsh, as following:
<display-entity entity-name="Table" description="${bsh: org.apache.commons.lang.StringEscapeUtils.escapeHtml(&quot;${description}&quot;)}">

But I get this error:

Error rendering screen [component://my/widget/CommonScreens.xml#GlobalDecorator]: java.lang.IllegalStateException: This object has been flagged as immutable (unchangeable), probably because it came from an Entity Engine cache. Cannot set a value in an immutable entity object.
(This object has been flagged as immutable (unchangeable), probably because it came from an Entity Engine cache. Cannot set a value in an immutable entity object.)

JSON