[gatein-commits] gatein SVN: r2382 - in portal/trunk: webui/portal/src/main/java/org/exoplatform/portal/webui/application and 1 other directory.

do-not-reply at jboss.org do-not-reply at jboss.org
Mon Mar 29 07:56:29 EDT 2010 

Author: thomas.heute at jboss.com
Date: 2010-03-29 07:56:28 -0400 (Mon, 29 Mar 2010)
New Revision: 2382

Modified:
   portal/trunk/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_en.properties
   portal/trunk/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_fr.properties
   portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/application/UIPortletForm.java
Log:
GTNPORTAL-731: XSS in portlet settings
Don't accept < and > in portlet title and description

Modified: portal/trunk/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_en.properties
===================================================================
--- portal/trunk/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_en.properties	2010-03-29 10:43:10 UTC (rev 2381)
+++ portal/trunk/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_en.properties	2010-03-29 11:56:28 UTC (rev 2382)
@@ -315,6 +315,8 @@
 UIPortletForm.Theme.title.SetDefault=Get Default
 UIPortletForm.Icon.title.SetDefault=Get Default
 UIPortletForm.msg.InvalidWidthHeight=You must enter a pixel value in field "{0}".
+UIPortletForm.msg.InvalidPortletTitle=Portlet title is invalid, it should not contain < or >.
+UIPortletForm.msg.InvalidPortletDescription=Portlet description is invalid, it should not contain < or >.
 
   #############################################################################
   #       org.exoplatform.portal.component.customization.UIDescription        #

Modified: portal/trunk/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_fr.properties
===================================================================
--- portal/trunk/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_fr.properties	2010-03-29 10:43:10 UTC (rev 2381)
+++ portal/trunk/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_fr.properties	2010-03-29 11:56:28 UTC (rev 2382)
@@ -299,6 +299,8 @@
 UIPortletForm.Theme.title.SetDefault=Utiliser la valeur par défaut
 UIPortletForm.Icon.title.SetDefault=Utiliser la valeur par défaut
 UIPortletForm.msg.InvalidWidthHeight=Le champ "{0}" doit être une valeur en pixel!
+UIPortletForm.msg.InvalidPortletTitle=Le title de la portlet est invalide, il ne doit pas contenir < ni >.
+UIPortletForm.msg.InvalidPortletDescription=La description de la portlet est invalide, elle ne doit pas contenir < ni >.
 
   #############################################################################
   #       org.exoplatform.portal.component.customization.UIDescription        #

Modified: portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/application/UIPortletForm.java
===================================================================
--- portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/application/UIPortletForm.java	2010-03-29 10:43:10 UTC (rev 2381)
+++ portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/application/UIPortletForm.java	2010-03-29 11:56:28 UTC (rev 2382)
@@ -113,7 +113,8 @@
                      addValidator(MandatoryValidator.class).setEditable(false)).
       addUIFormInput(new UIFormStringInput("windowId", "windowId", null).setEditable(false)).*/
             addUIFormInput(new UIFormInputInfo("displayName", "displayName", null)).addUIFormInput(
-         new UIFormStringInput("title", "title", null).addValidator(StringLengthValidator.class, 3, 60))
+         new UIFormStringInput("title", "title", null).addValidator(StringLengthValidator.class, 3, 60).addValidator(ExpressionValidator.class, "[^\\<\\>]*", 
+               "UIPortletForm.msg.InvalidPortletTitle"))
          .addUIFormInput(
             new UIFormStringInput("width", "width", null).addValidator(ExpressionValidator.class, "(^([1-9]\\d*)px$)?",
                "UIPortletForm.msg.InvalidWidthHeight")).addUIFormInput(
@@ -123,7 +124,7 @@
          new UIFormCheckBoxInput("showPortletMode", "showPortletMode", false)).addUIFormInput(
          new UIFormCheckBoxInput("showWindowState", "showWindowState", false)).addUIFormInput(
          new UIFormTextAreaInput("description", "description", null).addValidator(StringLengthValidator.class, 0,
-            255));
+            255).addValidator(ExpressionValidator.class, "[^\\<\\>]*", "UIPortletForm.msg.InvalidPortletDescription"));
       addUIFormInput(uiSettingSet);
       UIFormInputIconSelector uiIconSelector = new UIFormInputIconSelector("Icon", "icon");
       addUIFormInput(uiIconSelector);

More information about the gatein-commits mailing list