Service Forms execute Javascript code entered by end-users

Unanswered Question
Nov 17th, 2011
Service Forms execute Javascript code entered by end-users

Thought of sharing a finding which is  new/surprising for me .newScale service forms do not have request  validation turned on and hence in the text fields if i enter javascript  code (<script>alert("hello!")</script)) and submit  the form, the script gets executed whenever i reload that form.  Ideally(more from Security perspective) , whatever i entered in the  textbox should just be displayed as text and service form shouldn't  'identify' and execute it as script.

This is in version 2006.0.8  and not sure if fixed in later versions.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kirtesh Dusara Thu, 11/17/2011 - 18:14

Agreed - this is a major security flaw

You can also add javascript code to the user profile fields and it executes - this can be very damaging

Patti Richards Thu, 11/17/2011 - 18:14

I just tried it in our version 2006.0.9 and it didn't execute the javascript. We also had a fix so firefox brower would work, so its possible that file fixed the problem.


This Discussion

Related Content