Ofbiz表单:需要在display-entity标签的描述列中转义字符以避免XSS攻击:
<display-entity entity-name="Table" description="${description}" >
我尝试使用bsh,如下所示:
<display-entity entity-name="Table" description="${bsh: org.apache.commons.lang.StringEscapeUtils.escapeHtml("${description}")}">
但是我得到这个错误:
Error rendering screen [component://my/widget/CommonScreens.xml#GlobalDecorator]: java.lang.IllegalStateException: This object has been flagged as immutable (unchangeable), probably because it came from an Entity Engine cache. Cannot set a value in an immutable entity object.
(This object has been flagged as immutable (unchangeable), probably because it came from an Entity Engine cache. Cannot set a value in an immutable entity object.)
在描述中存在转义字符的解决方案吗?
没有XSS问题,正如https://issues.apache.org/jira/browse/OFBIZ-6506所解释的那样,所以不需要逃避,它是由OFBiz自动完成的
我们最近向Scipio ERP(一个ofbiz分支)提交了这个XSS漏洞的补丁:
https://github.com/ilscipio/scipio-erp/commit/cf7e8ef40af06e2903fb50a3f708a455ffd88c2a值得一看(www.scipioerp.com)