https://stackoverflow.com/questions/20265420
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianFrom the offical Broadleaf forum:
Broadleaf Commerce uses an extendible ORM strategy based on JPA (and specifically Hibernate behind the scenes). If you drill down even further, we are entirely using prepared statements and we do not dynamically build queries at all using user input. This deals with the SQL injection issue.
As for XSS, we utilize Spring MVC as our de-facto engine for the presentation layer and even provide some out-of-the-box controllers to speed development in this area. Spring MVC has great support for protection against XSS through html escape sequences via simple configuration. This blog talks about it a bit more: http://sanjaysinghloha.blogspot.com/200 ... ng_05.html. Having said that, as an e-commerce framework, Broadleaf Commerce does not force you to use Spring MVC to create a site. Any modern Java-based MVC framework should work fine with Broadleaf Commerce, but care should be taken with any MVC framework choice to account for XSS protection.
One of our partners has built their entire e-commerce site on Broadleaf Commerce using Spring MVC and Spring Security and has utilized S3 Security (http://www.s3security.com) to perform their extensive penetration testing as part of their successful PCI certification. S3 uses several tools, one of which is Retina Scanner.
No vulnerabilities have been discovered so far.
IMHO as a penetration tester view, it seems pretty safe and developed with security in mind but still this doesn't mean it's invulnerable. By implementing a WAF such as mod_security and being aware of the updates you will be good to go.
