cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1230
Views
0
Helpful
3
Replies

Service Forms execute Javascript code entered by end-users

Mihir Mihir
Level 1
Level 1
Service Forms execute Javascript code entered by end-users

Thought of sharing a finding which is  new/surprising for me .newScale service forms do not have request  validation turned on and hence in the text fields if i enter javascript  code (<script>alert("hello!")</script)) and submit  the form, the script gets executed whenever i reload that form.  Ideally(more from Security perspective) , whatever i entered in the  textbox should just be displayed as text and service form shouldn't  'identify' and execute it as script.

This is in version 2006.0.8  and not sure if fixed in later versions.

3 Replies 3

Kirtesh Dusara
Level 1
Level 1

Agreed - this is a major security flaw

You can also add javascript code to the user profile fields and it executes - this can be very damaging

Patti Richards
Level 1
Level 1

I just tried it in our version 2006.0.9 and it didn't execute the javascript. We also had a fix so firefox brower would work, so its possible that file fixed the problem.

Kirtesh Dusara
Level 1
Level 1

The version we have is 2007.1.3 and it works as described

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: