mrietveld
commented
10 years ago Good point, Duncan. I've created https://issues.jboss.org/browse/JBPM-4220 and have brought it to the attention of the internal teams. Thanks!
Open DuncanDoyle opened 10 years ago
mrietveld
commented
10 years ago Good point, Duncan. I've created https://issues.jboss.org/browse/JBPM-4220 and have brought it to the attention of the internal teams. Thanks!
mrietveld
commented
10 years ago Eh.. ignore me. :( I thought you were talking about the jbpm TaskService, but obvioulsy, you're talking about the PFP service. Oops..
The HumanTaskService.getTaskContent( ..... ) method uses a StringBuilder to build the query string which is passed to the EntityManager to create a JPA Query. The parameters are appended using the StringBuilder, which seems to introduce a SQL Injection vulnerability.
Instead, a JPA Named Parameters should be used to build the query string.