[gatein-commits] gatein SVN: r6207 - in epp/portal/branches/EPP_5_1_Branch: portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component and 1 other directories.

do-not-reply at jboss.org do-not-reply at jboss.org
Wed Apr 13 08:52:51 EDT 2011 

Author: hfnukal
Date: 2011-04-13 08:52:50 -0400 (Wed, 13 Apr 2011)
New Revision: 6207

Modified:
   epp/portal/branches/EPP_5_1_Branch/portlet/dashboard/src/main/webapp/groovy/dashboard/webui/component/UITabPaneDashboard.gtmpl
   epp/portal/branches/EPP_5_1_Branch/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserToolBarDashboardPortlet.gtmpl
   epp/portal/branches/EPP_5_1_Branch/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserToolBarGroupPortlet.gtmpl
   epp/portal/branches/EPP_5_1_Branch/web/portal/src/main/webapp/groovy/webui/core/UIPopupMessages.gtmpl
Log:
JBEPP-597 XSS issue in dashboard new page creation

Modified: epp/portal/branches/EPP_5_1_Branch/portlet/dashboard/src/main/webapp/groovy/dashboard/webui/component/UITabPaneDashboard.gtmpl
===================================================================
--- epp/portal/branches/EPP_5_1_Branch/portlet/dashboard/src/main/webapp/groovy/dashboard/webui/component/UITabPaneDashboard.gtmpl	2011-04-13 12:30:38 UTC (rev 6206)
+++ epp/portal/branches/EPP_5_1_Branch/portlet/dashboard/src/main/webapp/groovy/dashboard/webui/component/UITabPaneDashboard.gtmpl	2011-04-13 12:52:50 UTC (rev 6207)
@@ -6,6 +6,7 @@
 	import org.exoplatform.portal.webui.portal.UIPortal;
 	import org.exoplatform.portal.application.PortalRequestContext;
 	import org.exoplatform.web.application.JavascriptManager;
+	import org.gatein.common.text.EntityEncoder;
 	
 	//PageNavigation pageNavigation = uicomponent.getPageNavigation();
 	//ArrayList<PageNode> nodes = pageNavigation.getNodes();
@@ -31,6 +32,8 @@
 						<% for(int i = 0;i < tabNbs;i++){ 
 							 		node = nodes.get(i);
 							 		String tabLabel = node.getResolvedLabel();
+									EntityEncoder encoder = EntityEncoder.FULL;
+									tabLabel = encoder.encode(tabLabel);
 									String param = "" + i;
 									if(node.getUri().equals(selectedNode.getUri())){ 
 		  						%>

Modified: epp/portal/branches/EPP_5_1_Branch/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserToolBarDashboardPortlet.gtmpl
===================================================================
--- epp/portal/branches/EPP_5_1_Branch/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserToolBarDashboardPortlet.gtmpl	2011-04-13 12:30:38 UTC (rev 6206)
+++ epp/portal/branches/EPP_5_1_Branch/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserToolBarDashboardPortlet.gtmpl	2011-04-13 12:52:50 UTC (rev 6207)
@@ -4,6 +4,7 @@
 	import org.exoplatform.web.application.JavascriptManager;
 	import org.exoplatform.portal.webui.util.Util ;
 	import org.exoplatform.webui.organization.OrganizationUtils;
+	import org.gatein.common.text.EntityEncoder;
 	
 	def rcontext = _ctx.getRequestContext() ;
 	JavascriptManager jsmanager = rcontext.getJavascriptManager();
@@ -57,6 +58,8 @@
 		String title = "";
 		if(toolong) title = "title='$node.resolvedLabel'";
 		else title = "";
+		EntityEncoder entityEncoder = EntityEncoder.FULL;
+                label = entityEncoder.encode(label);
 		print """
 			<div class="MenuItem $tabStyleNavigation">
 				<div class="$clazz">

Modified: epp/portal/branches/EPP_5_1_Branch/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserToolBarGroupPortlet.gtmpl
===================================================================
--- epp/portal/branches/EPP_5_1_Branch/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserToolBarGroupPortlet.gtmpl	2011-04-13 12:30:38 UTC (rev 6206)
+++ epp/portal/branches/EPP_5_1_Branch/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserToolBarGroupPortlet.gtmpl	2011-04-13 12:52:50 UTC (rev 6207)
@@ -49,7 +49,7 @@
 		String title = "";
 		if(toolong) title = "title='$node.resolvedLabel'";
 		else title = "";
-        EntityEncoder entityEncoder = EntityEncoder.FULL;
+		EntityEncoder entityEncoder = EntityEncoder.FULL;
 		label = entityEncoder.encode(label);
 		print """
 			<div class="MenuItem $tabStyleNavigation">

Modified: epp/portal/branches/EPP_5_1_Branch/web/portal/src/main/webapp/groovy/webui/core/UIPopupMessages.gtmpl
===================================================================
--- epp/portal/branches/EPP_5_1_Branch/web/portal/src/main/webapp/groovy/webui/core/UIPopupMessages.gtmpl	2011-04-13 12:30:38 UTC (rev 6206)
+++ epp/portal/branches/EPP_5_1_Branch/web/portal/src/main/webapp/groovy/webui/core/UIPopupMessages.gtmpl	2011-04-13 12:52:50 UTC (rev 6207)
@@ -7,7 +7,8 @@
 	 * version: $Id$
 	 */  
 %>
-<%	
+<%
+        import org.gatein.common.text.EntityEncoder;	
 	String popupId = uicomponent.getId();
 	
 	def rcontext = _ctx.getRequestContext();
@@ -69,6 +70,8 @@
 					}
 			    }
 			}
+                        EntityEncoder encoder = EntityEncoder.FULL;
+			msgValue = encoder.encode(msgValue);
 			println msgValue;
 			println "						 </div>";
 			println "						 <div style=\"clear:left\"><span></span></div>";
@@ -166,4 +169,4 @@
 			rcontext.getJavascriptManager().addJavascript("eXo.webui.UIPopupWindow.show('$popupId', $uicomponent.showMask);");
 			rcontext.getJavascriptManager().addJavascript("window.setTimeout(\"eXo.webui.UIPopupWindow.increasezIndex('$popupId')\", 100);");
 		}
-	%>
\ No newline at end of file
+	%>

More information about the gatein-commits mailing list