[gatein-commits] gatein SVN: r4980 - in epp/portal/branches/EPP_5_1_Branch/portlet/exoadmin/src/main: webapp/groovy/applicationregistry/webui/component and 1 other directory.
do-not-reply at jboss.org
do-not-reply at jboss.org
Tue Nov 9 05:09:36 EST 2010
Author: thomas.heute at jboss.com
Date: 2010-11-09 05:09:36 -0500 (Tue, 09 Nov 2010)
New Revision: 4980
Modified:
epp/portal/branches/EPP_5_1_Branch/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategorySelector.java
epp/portal/branches/EPP_5_1_Branch/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIGadgetInfo.gtmpl
epp/portal/branches/EPP_5_1_Branch/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIPortletInfo.gtmpl
Log:
JBEPP-604: XSS issues in the application registry related to category display names
Modified: epp/portal/branches/EPP_5_1_Branch/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategorySelector.java
===================================================================
--- epp/portal/branches/EPP_5_1_Branch/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategorySelector.java 2010-11-09 10:07:06 UTC (rev 4979)
+++ epp/portal/branches/EPP_5_1_Branch/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategorySelector.java 2010-11-09 10:09:36 UTC (rev 4980)
@@ -19,6 +19,8 @@
import org.exoplatform.webui.form.UIFormInputSet;
import org.exoplatform.webui.form.UIFormPageIterator;
+import org.gatein.common.text.EntityEncoder;
+
import java.util.ArrayList;
import java.util.List;
@@ -77,6 +79,8 @@
UIFormCheckBoxInput<Boolean> checkBoxInput;
UIFormInputInfo uiInfo;
+ EntityEncoder encoder = EntityEncoder.FULL;
+
//
ApplicationRegistryService appRegService = getApplicationComponent(ApplicationRegistryService.class);
List<ApplicationCategory> categories = getAllCategories();
@@ -91,7 +95,7 @@
defaultValue = appRegService.getApplication(category.getName(), definitionName) != null;
}
checkBoxInput = new UIFormCheckBoxInput<Boolean>("category_" + category.getName(), null, defaultValue);
- uiInfo = new UIFormInputInfo("categoryName", null, category.getDisplayName());
+ uiInfo = new UIFormInputInfo("categoryName", null, encoder.encode(category.getDisplayName()));
uiInputSet.addChild(checkBoxInput);
uiInputSet.addChild(uiInfo);
uiTableInputSet.addChild(uiInputSet);
Modified: epp/portal/branches/EPP_5_1_Branch/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIGadgetInfo.gtmpl
===================================================================
--- epp/portal/branches/EPP_5_1_Branch/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIGadgetInfo.gtmpl 2010-11-09 10:07:06 UTC (rev 4979)
+++ epp/portal/branches/EPP_5_1_Branch/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIGadgetInfo.gtmpl 2010-11-09 10:09:36 UTC (rev 4980)
@@ -1,6 +1,8 @@
<%
import org.exoplatform.applicationregistry.webui.component.UICategorySelector;
-
+ import org.gatein.common.text.EntityEncoder;
+
+ EntityEncoder encoder = EntityEncoder.FULL;
def gadget = uicomponent.getGadget();
boolean selectorRender = uicomponent.getChild(UICategorySelector.class).isRendered();
String srcBGError = "/eXoResources/skin/sharedImages/Icon80x80/DefaultPortlet.png";
@@ -59,7 +61,7 @@
<table>
<tr>
<td class="LeftLabel"><%=_ctx.appRes("UIGadgetInfo.label.categories")%></td>
- <td class="RightLabel">$categoryNames
+ <td class="RightLabel"><%= encoder.encode(categoryNames) %>
<% if (categoryNames.equals("")) { %>
<%=_ctx.appRes("UIGadgetInfo.label.categories.guide")%><br/>
<% if (!selectorRender) { %>
@@ -80,4 +82,4 @@
uicomponent.renderChildren();
} %>
</div>
-</div>
\ No newline at end of file
+</div>
Modified: epp/portal/branches/EPP_5_1_Branch/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIPortletInfo.gtmpl
===================================================================
--- epp/portal/branches/EPP_5_1_Branch/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIPortletInfo.gtmpl 2010-11-09 10:07:06 UTC (rev 4979)
+++ epp/portal/branches/EPP_5_1_Branch/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIPortletInfo.gtmpl 2010-11-09 10:09:36 UTC (rev 4980)
@@ -2,9 +2,11 @@
import java.util.Iterator;
import java.util.Map.Entry;
import org.exoplatform.applicationregistry.webui.component.UICategorySelector;
+ import org.gatein.common.text.EntityEncoder;
- boolean selectorRender = uicomponent.getChild(UICategorySelector.class).isRendered();
- String categoryNames = uicomponent.getCategorieNames();
+ boolean selectorRender = uicomponent.getChild(UICategorySelector.class).isRendered();
+ String categoryNames = uicomponent.getCategorieNames();
+ EntityEncoder encoder = EntityEncoder.FULL;
def portlet = uicomponent.getPortlet();
def portletPreferences = portlet.getPortletPreferences();
String srcBG = "/" + portlet.getPortletGroup() + "/skin/DefaultSkin/portletIcons/" + portlet.getName() + ".png";
@@ -64,7 +66,7 @@
</tr>
<tr>
<td class="LeftLabel"><%= _ctx.appRes("UIPortletInfo.label.categories") %></td>
- <td class="RightLabel">$categoryNames
+ <td class="RightLabel"><%= encoder.encode(categoryNames) %>
<% if (categoryNames.equals("")) { %>
<%=_ctx.appRes("UIPortletInfo.label.categories.guide")%><br/>
<% if (!selectorRender) { %>
@@ -111,4 +113,4 @@
</table>
</div>
<% }%>
-</div>
\ No newline at end of file
+</div>
More information about the gatein-commits
mailing list