[gatein-commits] gatein SVN: r5118 - in exo/portal/branches/3.1.x/portlet/exoadmin/src/main: webapp/groovy/applicationregistry/webui/component and 1 other directory.

do-not-reply at jboss.org do-not-reply at jboss.org
Tue Nov 16 22:06:57 EST 2010 

Author: kien_nguyen
Date: 2010-11-16 22:06:57 -0500 (Tue, 16 Nov 2010)
New Revision: 5118

Modified:
   exo/portal/branches/3.1.x/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategorySelector.java
   exo/portal/branches/3.1.x/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIGadgetInfo.gtmpl
   exo/portal/branches/3.1.x/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIPortletInfo.gtmpl
Log:
EXOGTN-147 [PLF] XSS issues in the application registry related to category display names

Modified: exo/portal/branches/3.1.x/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategorySelector.java
===================================================================
--- exo/portal/branches/3.1.x/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategorySelector.java	2010-11-17 03:03:47 UTC (rev 5117)
+++ exo/portal/branches/3.1.x/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategorySelector.java	2010-11-17 03:06:57 UTC (rev 5118)
@@ -18,6 +18,8 @@
 import org.exoplatform.webui.form.UIFormInputSet;
 import org.exoplatform.webui.form.UIFormPageIterator;
 
+import org.gatein.common.text.EntityEncoder;
+
 import java.util.ArrayList;
 import java.util.List;
 
@@ -76,6 +78,8 @@
       UIFormCheckBoxInput<Boolean> checkBoxInput;
       UIFormInputInfo uiInfo;
 
+      EntityEncoder encoder = EntityEncoder.FULL;
+
       //
       ApplicationRegistryService appRegService = getApplicationComponent(ApplicationRegistryService.class);
       List<ApplicationCategory> categories = getAllCategories();
@@ -90,7 +94,7 @@
             defaultValue = appRegService.getApplication(category.getName(), definitionName) != null;
          }
          checkBoxInput = new UIFormCheckBoxInput<Boolean>("category_" + category.getName(), null, defaultValue);
-         uiInfo = new UIFormInputInfo("categoryName", null, category.getDisplayName());
+         uiInfo = new UIFormInputInfo("categoryName", null, encoder.encode(category.getDisplayName()));
          uiInputSet.addChild(checkBoxInput);
          uiInputSet.addChild(uiInfo);
          uiTableInputSet.addChild(uiInputSet);

Modified: exo/portal/branches/3.1.x/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIGadgetInfo.gtmpl
===================================================================
--- exo/portal/branches/3.1.x/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIGadgetInfo.gtmpl	2010-11-17 03:03:47 UTC (rev 5117)
+++ exo/portal/branches/3.1.x/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIGadgetInfo.gtmpl	2010-11-17 03:06:57 UTC (rev 5118)
@@ -1,6 +1,8 @@
 <%
 	import org.exoplatform.applicationregistry.webui.component.UICategorySelector;
-	
+	import org.gatein.common.text.EntityEncoder;
+
+        EntityEncoder encoder = EntityEncoder.FULL;
 	def gadget = uicomponent.getGadget();
 	boolean selectorRender = uicomponent.getChild(UICategorySelector.class).isRendered();
 	String srcBGError = "/eXoResources/skin/sharedImages/Icon80x80/DefaultPortlet.png";
@@ -59,7 +61,7 @@
 				<table>
 					<tr>
 						<td class="LeftLabel"><%=_ctx.appRes("UIGadgetInfo.label.categories")%></td>
-						<td class="RightLabel">$categoryNames
+						<td class="RightLabel"><%= encoder.encode(categoryNames) %>
 								<% if (categoryNames.equals("")) { %>
 										<%=_ctx.appRes("UIGadgetInfo.label.categories.guide")%><br/>
 										<% if (!selectorRender) { %>

Modified: exo/portal/branches/3.1.x/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIPortletInfo.gtmpl
===================================================================
--- exo/portal/branches/3.1.x/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIPortletInfo.gtmpl	2010-11-17 03:03:47 UTC (rev 5117)
+++ exo/portal/branches/3.1.x/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIPortletInfo.gtmpl	2010-11-17 03:06:57 UTC (rev 5118)
@@ -2,9 +2,11 @@
 	import java.util.Iterator;
 	import java.util.Map.Entry;
 	import org.exoplatform.applicationregistry.webui.component.UICategorySelector;
+        import org.gatein.common.text.EntityEncoder;
     
-  boolean selectorRender = uicomponent.getChild(UICategorySelector.class).isRendered();
-  String categoryNames = uicomponent.getCategorieNames();
+	boolean selectorRender = uicomponent.getChild(UICategorySelector.class).isRendered();
+	String categoryNames = uicomponent.getCategorieNames();
+    EntityEncoder encoder = EntityEncoder.FULL;
 	def portlet = uicomponent.getPortlet();
 	def portletPreferences = portlet.getPortletPreferences();
 	String srcBG = "/" + portlet.getPortletGroup() + "/skin/DefaultSkin/portletIcons/" + portlet.getName() + ".png";
@@ -64,7 +66,7 @@
 					</tr>
 					<tr>
 					  <td class="LeftLabel"><%= _ctx.appRes("UIPortletInfo.label.categories") %></td>
-					  <td class="RightLabel">$categoryNames
+					  <td class="RightLabel"><%= encoder.encode(categoryNames) %>
 					    <% if (categoryNames.equals("")) { %>
                 <%=_ctx.appRes("UIPortletInfo.label.categories.guide")%><br/>
                 <% if (!selectorRender) { %>

More information about the gatein-commits mailing list