[gatein-commits] gatein SVN: r7380 - in portal/branches/xss: portlet/exoadmin/src/main/webapp/groovy/navigation/webui/component and 1 other directories.

[do-not-reply at jboss.org]

Author: ndkhoiits
Date: 2011-09-13 07:30:58 -0400 (Tue, 13 Sep 2011)
New Revision: 7380

Modified:
   portal/branches/xss/
   portal/branches/xss/portlet/exoadmin/src/main/webapp/groovy/navigation/webui/component/UISiteManagement.gtmpl
   portal/branches/xss/webui/portal/src/main/java/org/exoplatform/portal/webui/portal/UIPortalForm.java
Log:
GTNPORTAL-2062 XSS issue when entering site description


Property changes on: portal/branches/xss
___________________________________________________________________
Modified: svn:mergeinfo
   - /epp/portal/branches/EPP_5_1_Branch:6841
/portal/branches/branch-GTNPORTAL-1790:5864-5919
/portal/branches/branch-GTNPORTAL-1822:5938-5991
/portal/branches/branch-GTNPORTAL-1832:5993-6105
/portal/branches/branch-GTNPORTAL-1872:6327-6594
/portal/branches/branch-GTNPORTAL-1921:6597-6803
/portal/branches/branch-GTNPORTAL-1963:6902-6986
/portal/branches/decoupled-webos:6214-6243
/portal/branches/dom:7272-7349
/portal/branches/gatein-management:6920-6958
/portal/branches/global-portlet-metadata:6298-6384
/portal/branches/site-describability:6171-6235
/portal/branches/wsrp-extraction:5828-6031
/portal/branches/xss-issues:7350
   + /epp/portal/branches/EPP_5_1_Branch:6841
/portal/branches/branch-GTNPORTAL-1790:5864-5919
/portal/branches/branch-GTNPORTAL-1822:5938-5991
/portal/branches/branch-GTNPORTAL-1832:5993-6105
/portal/branches/branch-GTNPORTAL-1872:6327-6594
/portal/branches/branch-GTNPORTAL-1921:6597-6803
/portal/branches/branch-GTNPORTAL-1963:6902-6986
/portal/branches/decoupled-webos:6214-6243
/portal/branches/dom:7272-7349
/portal/branches/gatein-management:6920-6958
/portal/branches/global-portlet-metadata:6298-6384
/portal/branches/site-describability:6171-6235
/portal/branches/wsrp-extraction:5828-6031
/portal/branches/xss-issues:7350-7351

Modified: portal/branches/xss/portlet/exoadmin/src/main/webapp/groovy/navigation/webui/component/UISiteManagement.gtmpl
===================================================================
--- portal/branches/xss/portlet/exoadmin/src/main/webapp/groovy/navigation/webui/component/UISiteManagement.gtmpl	2011-09-13 11:19:54 UTC (rev 7379)
+++ portal/branches/xss/portlet/exoadmin/src/main/webapp/groovy/navigation/webui/component/UISiteManagement.gtmpl	2011-09-13 11:30:58 UTC (rev 7380)
@@ -1,62 +1,67 @@
 <%
+  import org.exoplatform.portal.config.UserPortalConfigService;
   import org.exoplatform.webui.core.UIComponent ;
   import org.exoplatform.webui.form.UIForm;
-  import java.text.DateFormat;
-  import java.text.SimpleDateFormat;
-  import org.exoplatform.portal.config.UserPortalConfigService;
-   
+  
+  import org.gatein.common.text.EntityEncoder;
+  
   String[] actions =  uicomponent.getActions();
   uicomponent.loadPortalConfigs();
   def rcontext = _ctx.getRequestContext();
   def userPortalConfigService = uicomponent.getApplicationComponent(UserPortalConfigService.class);
   def defaultPortalName = userPortalConfigService.getDefaultPortal();
+  EntityEncoder encoder = EntityEncoder.FULL;
+  
+  String editLayoutLabel = _ctx.appRes("UISiteManagement.label.editLayout");
+  String editNavigationLabel = _ctx.appRes("UISiteManagement.label.editNav");
+  String editPortalPropLabel = _ctx.appRes("UISiteManagement.label.editPortalProp");
+  String deletePortalLabel = _ctx.appRes("UISiteManagement.label.deletePortal");
 %>
 <div class="UISiteManagement UIManagement" id="<%=uicomponent.getId();%>">
-	  <%
-		    for (portalConfig in uicomponent.getPortalConfigs())  {		      
-	  %>
-		      	<table class="ManagementBlock" style="table-layout: fixed">
-		      		<tr>
-				      	<td class="Image"><img src="/exoadmin/skin/navigation/webui/component/background/PlImg.gif" alt=""/></td>
-				      	<td class="Content">
+      <%
+            for (portalConfig in uicomponent.getPortalConfigs())  {           
+      %>
+                <table class="ManagementBlock" style="table-layout: fixed">
+                    <tr>
+                        <td class="Image"><img src="/exoadmin/skin/navigation/webui/component/background/PlImg.gif" alt=""/></td>
+                        <td class="Content">
                            <div class="Label"><%=uicomponent.getFieldValue(portalConfig, 'name') %></div>
                            <%
-                           def siteLabel = uicomponent.getFieldValue(portalConfig, 'label');
-                           def siteDescription = uicomponent.getFieldValue(portalConfig, 'description');
-                           if (siteLabel != null && siteLabel.trim().length() > 0)
-                           {
+                           String siteLabel = uicomponent.getFieldValue(portalConfig, 'label');
+                           if (siteLabel != null && siteLabel.trim().length() > 0) {
+                              siteLabel = encoder.encode(siteLabel);
                               print """<div>$siteLabel</div>""";
                            }
-                           if (siteDescription != null && siteDescription.trim().length() > 0)
-                           {
+                           
+                           String siteDescription = uicomponent.getFieldValue(portalConfig, 'description');
+                           if (siteDescription != null && siteDescription.trim().length() > 0) {
+                              siteDescription = encoder.encode(siteDescription);
                               print """<div>$siteDescription</div>""";
                            }
                            %>
-					    </td>
-				        <td class="ActionBlock">
-					        	<a href="<%=uicomponent.event("EditPortalLayout", portalConfig.getName());%>" class="EditLayoutIcon"><%=_ctx.appRes("UISiteManagement.label.editLayout")%></a>
-					        	<a href="<%=uicomponent.event("EditNavigation", portalConfig.getName());%>" class="EditNavIcon"><%=_ctx.appRes("UISiteManagement.label.editNav")%></a>
-					        	<a href="javascript:ajaxGet(eXo.env.server.createPortalURL('UIPortal', 'EditPortalProperties', true, [{name:'portalName',value:'<%=portalConfig.getName()%>'}]))" class="EditNavIcon"><%=_ctx.appRes("UISiteManagement.label.editPortalProp")%></a>
-					        	
-					        	<% if(defaultPortalName != null && !defaultPortalName.equals(portalConfig.getName())) {%>
-					        		<a href="<%=uicomponent.url("DeletePortal", portalConfig.getName());%>" class="DeleteIcon"><%=_ctx.appRes("UISiteManagement.label.deletePortal")%></a>
-					        	<% } %>
-				        </td>
-				      </tr>
-				    </table>    
-		<%		    
-		  }
-		%> 
-	<%
-		if(uicomponent.getPortalConfigs() != null && uicomponent.getPortalConfigs().size() > 0){
-	%>
-	<div class="UIAction"> 
+                        </td>
+                        <td class="ActionBlock">
+                                <a href="<%=uicomponent.event("EditPortalLayout", portalConfig.getName());%>" class="EditLayoutIcon">$editLayoutLabel</a>
+                                <a href="<%=uicomponent.event("EditNavigation", portalConfig.getName());%>" class="EditNavIcon">$editNavigationLabel</a>
+                                <a href="javascript:ajaxGet(eXo.env.server.createPortalURL('UIPortal', 'EditPortalProperties', true, [{name:'portalName',value:'<%=portalConfig.getName()%>'}]))" class="EditNavIcon">$editPortalPropLabel</a>
+                                
+                                <% if(defaultPortalName != null && !defaultPortalName.equals(portalConfig.getName())) {%>
+                                    <a href="<%=uicomponent.url("DeletePortal", portalConfig.getName());%>" class="DeleteIcon">$deletePortalLabel</a>
+                                <% } %>
+                        </td>
+                      </tr>
+                    </table>    
+        <%          
+          }
+        %> 
+    <%
+        if(uicomponent.getPortalConfigs() != null && uicomponent.getPortalConfigs().size() > 0){
+    %>
+    <div class="UIAction"> 
 		<a href="javascript:void(0);" onclick="ajaxGet(eXo.env.server.createPortalURL('UIWorkingWorkspace', 'CreatePortal', true))" class="ActionButton LightBlueStyle"><%=_ctx.appRes(uicomponent.getId() + ".action.addNewPortal")%></a>
 	</div>
 	<%
 		}
 	%>
 	<%uicomponent.renderChildren();%>
-</div>
-
-
+</div>
\ No newline at end of file

Modified: portal/branches/xss/webui/portal/src/main/java/org/exoplatform/portal/webui/portal/UIPortalForm.java
===================================================================
--- portal/branches/xss/webui/portal/src/main/java/org/exoplatform/portal/webui/portal/UIPortalForm.java	2011-09-13 11:19:54 UTC (rev 7379)
+++ portal/branches/xss/webui/portal/src/main/java/org/exoplatform/portal/webui/portal/UIPortalForm.java	2011-09-13 11:30:58 UTC (rev 7380)
@@ -63,6 +63,7 @@
 import org.exoplatform.webui.form.UIFormTabPane;
 import org.exoplatform.webui.form.validator.IdentifierValidator;
 import org.exoplatform.webui.form.validator.MandatoryValidator;
+import org.exoplatform.webui.form.validator.SpecialCharacterValidator;
 import org.exoplatform.webui.form.validator.StringLengthValidator;
 import org.exoplatform.webui.organization.UIListPermissionSelector;
 import org.exoplatform.webui.organization.UIListPermissionSelector.EmptyIteratorValidator;
@@ -242,7 +243,7 @@
          new UIFormStringInput(FIELD_NAME, FIELD_NAME, null).addValidator(MandatoryValidator.class).addValidator(
             StringLengthValidator.class, 3, 30).addValidator(IdentifierValidator.class).setEditable(false));
       
-      uiSettingSet.addUIFormInput(new UIFormStringInput(FIELD_LABEL, FIELD_LABEL, null));
+      uiSettingSet.addUIFormInput(new UIFormStringInput(FIELD_LABEL, FIELD_LABEL, null).addValidator(SpecialCharacterValidator.class));
       uiSettingSet.addUIFormInput(new UIFormStringInput(FIELD_DESCRIPTION, FIELD_DESCRIPTION, null));
       uiSettingSet.addUIFormInput(new UIFormSelectBox(FIELD_LOCALE, FIELD_LOCALE, languages).addValidator(MandatoryValidator.class));