Ofbiz表单:需要从display-entity标记的description列中转义字符以避免XSS攻击:
<display-entity entity-name="Table" description="${description}" >
我尝试使用bsh,如下所示:
<display-entity entity-name="Table" description="${bsh: org.apache.commons.lang.StringEscapeUtils.escapeHtml("${description}")}">
但是我收到了这个错误:
Error rendering screen [component://my/widget/CommonScreens.xml#GlobalDecorator]: java.lang.IllegalStateException: This object has been flagged as immutable (unchangeable), probably because it came from an Entity Engine cache. Cannot set a value in an immutable entity object.
(This object has been flagged as immutable (unchangeable), probably because it came from an Entity Engine cache. Cannot set a value in an immutable entity object.)
这里存在一个解决方案来逃避描述中的字符?
答案 0 :(得分:0)
在https://issues.apache.org/jira/browse/OFBIZ-6506解释没有XSS问题所以没有必要逃避,它是由OFBiz自动完成的
答案 1 :(得分:0)
我们最近为Scipio ERP(anbiz fork)提供了此XSS漏洞的补丁:
https://github.com/ilscipio/scipio-erp/commit/cf7e8ef40af06e2903fb50a3f708a455ffd88c2a
值得一试(www.scipioerp.com)。