[gatein-commits] gatein SVN: r4918 - in portal/trunk/portlet/exoadmin/src/main: webapp/groovy/applicationregistry/webui/component and 1 other directory.

do-not-reply at jboss.org do-not-reply at jboss.org
Wed Nov 3 07:16:21 EDT 2010 

Author: thomas.heute at jboss.com
Date: 2010-11-03 07:16:20 -0400 (Wed, 03 Nov 2010)
New Revision: 4918

Modified:
   portal/trunk/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategorySelector.java
   portal/trunk/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIGadgetInfo.gtmpl
   portal/trunk/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIPortletInfo.gtmpl
Log:
GTNPORTAL-1627: XSS issues in the application registry related to category display names


Modified: portal/trunk/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategorySelector.java
===================================================================
--- portal/trunk/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategorySelector.java	2010-11-03 11:05:24 UTC (rev 4917)
+++ portal/trunk/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategorySelector.java	2010-11-03 11:16:20 UTC (rev 4918)
@@ -19,6 +19,8 @@
 import org.exoplatform.webui.form.UIFormInputSet;
 import org.exoplatform.webui.form.UIFormPageIterator;
 
+import org.gatein.common.text.EntityEncoder;
+
 import java.util.ArrayList;
 import java.util.List;
 
@@ -77,6 +79,8 @@
       UIFormCheckBoxInput<Boolean> checkBoxInput;
       UIFormInputInfo uiInfo;
 
+      EntityEncoder encoder = EntityEncoder.FULL;
+
       //
       ApplicationRegistryService appRegService = getApplicationComponent(ApplicationRegistryService.class);
       List<ApplicationCategory> categories = getAllCategories();
@@ -91,7 +95,7 @@
             defaultValue = appRegService.getApplication(category.getName(), definitionName) != null;
          }
          checkBoxInput = new UIFormCheckBoxInput<Boolean>("category_" + category.getName(), null, defaultValue);
-         uiInfo = new UIFormInputInfo("categoryName", null, category.getDisplayName());
+         uiInfo = new UIFormInputInfo("categoryName", null, encoder.encode(category.getDisplayName()));
          uiInputSet.addChild(checkBoxInput);
          uiInputSet.addChild(uiInfo);
          uiTableInputSet.addChild(uiInputSet);

Modified: portal/trunk/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIGadgetInfo.gtmpl
===================================================================
--- portal/trunk/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIGadgetInfo.gtmpl	2010-11-03 11:05:24 UTC (rev 4917)
+++ portal/trunk/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIGadgetInfo.gtmpl	2010-11-03 11:16:20 UTC (rev 4918)
@@ -1,6 +1,8 @@
 <%
 	import org.exoplatform.applicationregistry.webui.component.UICategorySelector;
-	
+	import org.gatein.common.text.EntityEncoder;
+
+        EntityEncoder encoder = EntityEncoder.FULL;
 	def gadget = uicomponent.getGadget();
 	boolean selectorRender = uicomponent.getChild(UICategorySelector.class).isRendered();
 	String srcBGError = "/eXoResources/skin/sharedImages/Icon80x80/DefaultPortlet.png";
@@ -59,7 +61,7 @@
 				<table>
 					<tr>
 						<td class="LeftLabel"><%=_ctx.appRes("UIGadgetInfo.label.categories")%></td>
-						<td class="RightLabel">$categoryNames
+						<td class="RightLabel"><%= encoder.encode(categoryNames) %>
 								<% if (categoryNames.equals("")) { %>
 										<%=_ctx.appRes("UIGadgetInfo.label.categories.guide")%><br/>
 										<% if (!selectorRender) { %>
@@ -80,4 +82,4 @@
 				uicomponent.renderChildren(); 
 		} %>
 	</div>
-</div>
\ No newline at end of file
+</div>

Modified: portal/trunk/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIPortletInfo.gtmpl
===================================================================
--- portal/trunk/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIPortletInfo.gtmpl	2010-11-03 11:05:24 UTC (rev 4917)
+++ portal/trunk/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIPortletInfo.gtmpl	2010-11-03 11:16:20 UTC (rev 4918)
@@ -2,9 +2,11 @@
 	import java.util.Iterator;
 	import java.util.Map.Entry;
 	import org.exoplatform.applicationregistry.webui.component.UICategorySelector;
+        import org.gatein.common.text.EntityEncoder;
     
-  boolean selectorRender = uicomponent.getChild(UICategorySelector.class).isRendered();
-  String categoryNames = uicomponent.getCategorieNames();
+	boolean selectorRender = uicomponent.getChild(UICategorySelector.class).isRendered();
+	String categoryNames = uicomponent.getCategorieNames();
+        EntityEncoder encoder = EntityEncoder.FULL;
 	def portlet = uicomponent.getPortlet();
 	def portletPreferences = portlet.getPortletPreferences();
 	String srcBG = "/" + portlet.getPortletGroup() + "/skin/DefaultSkin/portletIcons/" + portlet.getName() + ".png";
@@ -64,7 +66,7 @@
 					</tr>
 					<tr>
 					  <td class="LeftLabel"><%= _ctx.appRes("UIPortletInfo.label.categories") %></td>
-					  <td class="RightLabel">$categoryNames
+					  <td class="RightLabel"><%= encoder.encode(categoryNames) %>
 					    <% if (categoryNames.equals("")) { %>
                 <%=_ctx.appRes("UIPortletInfo.label.categories.guide")%><br/>
                 <% if (!selectorRender) { %>
@@ -111,4 +113,4 @@
 			</table>
 		</div>
 		<% }%>
-</div>	
\ No newline at end of file
+</div>

More information about the gatein-commits mailing list