[ofbiz-framework] branch trunk updated: Improved: Fix OFBiz speficic Javascript securiy issues reported by GH CodeQL (OFBIZ-12366)

[jleroux]

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new dfc7ee4  Improved: Fix OFBiz speficic Javascript securiy issues 
reported by GH CodeQL (OFBIZ-12366)
dfc7ee4 is described below

commit dfc7ee40328b54339a03123bb10adf9a3bc1f74a
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon Nov 8 13:14:24 2021 +0100

    Improved: Fix OFBiz speficic Javascript securiy issues reported by GH 
CodeQL (OFBIZ-12366)
    
    Fixes "A DOM text reinterpreted as HTML" issue in fieldlookup.js
    
    GH CodeQL reports:
    "A webpage with this vulnerability reads text from the DOM, and afterwards 
adds
    the text as HTML to the DOM. Using text from the DOM as HTML effectively
    unescapes the text, and thereby invalidates any escaping done on the text. 
If an
    attacker is able to control the safe sanitized text, then this 
vulnerability can
    be exploited to perform a cross-site scripting attack.
    
    Recommendation
    To guard against cross-site scripting, consider using contextual output
    encoding/escaping before writing text to the page, or one of the other 
solutions
    that are mentioned in the References section below.
    
    Example
    "Extracting text from a DOM node and interpreting it as HTML can lead to a
    cross-site scripting vulnerability."
    
    GH CodeQL suggest:
    The above vulnerability can be fixed by using $.find instead of $. The 
$.find
    function will only interpret target as a CSS selector and never as HTML,
    thereby preventing an XSS attack.
---
 themes/common-theme/webapp/common/js/util/fieldlookup.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/themes/common-theme/webapp/common/js/util/fieldlookup.js 
b/themes/common-theme/webapp/common/js/util/fieldlookup.js
index 7f6e38b..5d8029c 100644
--- a/themes/common-theme/webapp/common/js/util/fieldlookup.js
+++ b/themes/common-theme/webapp/common/js/util/fieldlookup.js
@@ -304,7 +304,7 @@ var Lookup = function(options) {
         var queryArgs = "presentation=" + options.presentation;
         if (typeof options.args == "object" && jQuery.isArray(options.args)) {
             for ( var i = 0; i < options.args.length; i++) {
-                queryArgs += "&parm" + i + "=" + jQuery(options.args[i]).val();
+                queryArgs += "&parm" + i + "=" + 
jQuery(jQuery.find(options.args[i]).val());
             }
         }