Watson Commerce Ideas

Order Management, Inventory Visibility, Store Engagement, Watson Order Optimizer, Call Center and CPQ are now a part of Watson Supply Chain. Please bookmark the Watson Supply Chain Idea Portal.

Submit new product ideas for Watson Commerce Offerings including Digital Commerce, Websphere Commerce, Watson Content Hub, Watson Commerce Insights, Dynamic Pricing, Price Optimization, Promotion Optimization, Markdown and Deal Management. Before you submit, please review existing ideas; if an idea close to yours already exists, it's better to add comments or vote on the existing idea. We will review your ideas and use them to help prioritize our product development. Best of all, the portal will automatically update you when the status of your idea has been changed.

Connect with your peers and IBM experts on the Watson Marketing and Commerce Community and the Order Management Interest Group, now a part of Watson Supply Chain.

Submit ideas for other Watson Customer Engagement Products:

  • Watson Marketing
  • Watson Supply Chain

disallow user-supplied input to be part of error messages in the url.

During the security test we found that, User-supplied input is directly reflected into some error messages of the application url, and an error message is
reflected back to the user containing the supplied text. Please find attached the screenshot of the same. 
This can be abused, for example, to convince a user to visit a website to install malware
pretending to be a plugin in order to correctly view the content displayed by the page, among
other potential attack scenarios. Can we disallow user-supplied input to be part of error messages?

  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Dec 14 2018
  • Needs review
How will this idea be used?

During the security test we found that, User-supplied input is directly reflected into some error messages of the application url, and an error message is
reflected back to the user containing the supplied text. Please find attached the screenshot of the same. 
This can be abused, for example, to convince a user to visit a website to install malware
pretending to be a plugin in order to correctly view the content displayed by the page, among
other potential attack scenarios. Can we disallow user-supplied input to be part of error messages?

What is your industry? Retail
What is the idea priority? Medium
DeveloperWorks ID
RTC ID
Link to original RFE
  • Attach files