11-17-2011 06:14 PM
Service Forms execute Javascript code entered by end-users
Thought of sharing a finding which is new/surprising for me .newScale service forms do not have request validation turned on and hence in the text fields if i enter javascript code (<script>alert("hello!")</script)) and submit the form, the script gets executed whenever i reload that form. Ideally(more from Security perspective) , whatever i entered in the textbox should just be displayed as text and service form shouldn't 'identify' and execute it as script.
This is in version 2006.0.8 and not sure if fixed in later versions.
11-17-2011 06:14 PM
Agreed - this is a major security flaw
You can also add javascript code to the user profile fields and it executes - this can be very damaging
11-17-2011 06:14 PM
I just tried it in our version 2006.0.9 and it didn't execute the javascript. We also had a fix so firefox brower would work, so its possible that file fixed the problem.
11-17-2011 06:14 PM
The version we have is 2007.1.3 and it works as described
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: