Author: trong.tran
Date: 2011-09-22 07:58:08 -0400 (Thu, 22 Sep 2011)
New Revision: 7483
Modified:
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormHiddenInput.java
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormInputBase.java
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormInputInfo.java
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormSelectBox.java
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormStringInput.java
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormTextAreaInput.java
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormWYSIWYGInput.java
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/ext/UIFormColorPicker.java
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/ext/UIFormComboBox.java
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/ext/UIFormInputSetWithAction.java
Log:
GTNPORTAL-2123 HTML encoding is needed for most of UIFormInput components to avoid XSS
attacks
Modified:
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormHiddenInput.java
===================================================================
---
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormHiddenInput.java 2011-09-22
11:32:42 UTC (rev 7482)
+++
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormHiddenInput.java 2011-09-22
11:58:08 UTC (rev 7483)
@@ -20,6 +20,7 @@
package org.exoplatform.webui.form;
import org.exoplatform.webui.application.WebuiRequestContext;
+import org.gatein.common.text.EntityEncoder;
import java.io.Writer;
@@ -62,10 +63,12 @@
print.write(" id='");
print.write(getId());
print.write("'");
- if (value_ != null && value_.length() > 0)
+ String value = getValue();
+ if (value != null && value.length() > 0)
{
print.write(" value='");
- print.write(value_);
+ value = EntityEncoder.FULL.encode(value);
+ print.write(value);
print.write("'");
}
print.write(" />");
Modified:
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormInputBase.java
===================================================================
---
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormInputBase.java 2011-09-22
11:32:42 UTC (rev 7482)
+++
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormInputBase.java 2011-09-22
11:58:08 UTC (rev 7483)
@@ -91,11 +91,6 @@
*/
protected boolean readonly_ = false;
- /**
- * Encode the value before rendering or not. The value will be encoded by default.
- */
- protected boolean escapedHTML_ = true;
-
public UIFormInputBase(String name, String bindingField, Class<T> typeValue)
{
this.name = name;
@@ -242,15 +237,4 @@
{
this.label = label;
}
-
- public boolean isEscapedHTML()
- {
- return escapedHTML_;
- }
-
- public void setEscapedHTML(boolean escapedHTML)
- {
- this.escapedHTML_ = escapedHTML;
- }
-
}
\ No newline at end of file
Modified:
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormInputInfo.java
===================================================================
---
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormInputInfo.java 2011-09-22
11:32:42 UTC (rev 7482)
+++
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormInputInfo.java 2011-09-22
11:58:08 UTC (rev 7483)
@@ -21,6 +21,7 @@
import org.exoplatform.webui.application.WebuiRequestContext;
import org.exoplatform.commons.serialization.api.annotations.Serialized;
+import org.gatein.common.text.EntityEncoder;
import java.io.Writer;
@@ -52,8 +53,12 @@
{
Writer w = context.getWriter();
w.append("<span id=\"").append(getId()).append("\"
class=\"").append(getId()).append("\">");
- if (value_ != null)
- w.write(value_);
+ String value = getValue();
+ if (value != null)
+ {
+ value = EntityEncoder.FULL.encode(value);
+ w.write(value);
+ }
w.write("</span>");
}
Modified:
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormSelectBox.java
===================================================================
---
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormSelectBox.java 2011-09-22
11:32:42 UTC (rev 7482)
+++
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormSelectBox.java 2011-09-22
11:58:08 UTC (rev 7483)
@@ -23,6 +23,7 @@
import org.exoplatform.commons.serialization.api.annotations.Serialized;
import org.exoplatform.webui.core.UIComponent;
import org.exoplatform.webui.core.model.SelectItemOption;
+import org.gatein.common.text.EntityEncoder;
import java.io.Writer;
import java.util.ArrayList;
@@ -254,10 +255,12 @@
{
}
+ String value = item.getValue();
+ value = EntityEncoder.FULL.encode(value);
if (item.isSelected())
{
w.write("<option selected=\"selected\"
value=\"");
- w.write(item.getValue());
+ w.write(value);
w.write("\">");
}
else
Modified:
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormStringInput.java
===================================================================
---
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormStringInput.java 2011-09-22
11:32:42 UTC (rev 7482)
+++
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormStringInput.java 2011-09-22
11:58:08 UTC (rev 7483)
@@ -115,10 +115,7 @@
w.write('\'');
if (value != null && value.length() > 0)
{
- if (isEscapedHTML())
- {
- value = EntityEncoder.FULL.encode(value);
- }
+ value = EntityEncoder.FULL.encode(value);
w.write(" value='");
w.write(value);
w.write('\'');
Modified:
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormTextAreaInput.java
===================================================================
---
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormTextAreaInput.java 2011-09-22
11:32:42 UTC (rev 7482)
+++
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormTextAreaInput.java 2011-09-22
11:58:08 UTC (rev 7483)
@@ -73,10 +73,7 @@
w.write(">");
if (value != null)
{
- if (isEscapedHTML())
- {
- value = EntityEncoder.FULL.encode(value);
- }
+ value = EntityEncoder.FULL.encode(value);
w.write(value);
}
w.write("</textarea>");
Modified:
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormWYSIWYGInput.java
===================================================================
---
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormWYSIWYGInput.java 2011-09-22
11:32:42 UTC (rev 7482)
+++
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormWYSIWYGInput.java 2011-09-22
11:58:08 UTC (rev 7483)
@@ -28,11 +28,10 @@
* Author : Tran The Trong
* trongtt(a)gmail.com
* November 07, 2007
+
+ * @deprecated should use {@link org.exoplatform.webui.form.wysiwyg.UIFormWYSIWYGInput}
instead
*/
@Deprecated
-/**
- * Should use org.exoplatform.webui.form.wysiwyg.UIFormWYSIWYGInput
- * */
public class UIFormWYSIWYGInput extends UIFormInputBase<String>
{
Modified:
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/ext/UIFormColorPicker.java
===================================================================
---
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/ext/UIFormColorPicker.java 2011-09-22
11:32:42 UTC (rev 7482)
+++
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/ext/UIFormColorPicker.java 2011-09-22
11:58:08 UTC (rev 7483)
@@ -24,6 +24,7 @@
import org.exoplatform.webui.form.UIFormInput;
import org.exoplatform.webui.form.UIFormInputBase;
import org.exoplatform.webui.form.ext.UIFormColorPicker.Colors.Color;
+import org.gatein.common.text.EntityEncoder;
import java.io.Writer;
import java.util.HashMap;
@@ -196,12 +197,17 @@
public void processRender(WebuiRequestContext context) throws Exception
{
+ String value = getValue();
+ if (value != null)
+ {
+ value = EntityEncoder.FULL.encode(value);
+ }
Writer w = context.getWriter();
w.write("<div class='UIFormColorPicker'>");
w.write("<div class=\"UIColorPickerInput\"
onclick=\"eXo.webui.UIColorPicker.show(this)\">");
- w.write("<span class=\" DisplayValue " +
encodeValue(value_).toString() + "\"></span>");
+ w.write("<span class=\" DisplayValue " + value +
"\"></span>");
w.write("</div>");
- w.write("<div class=\"CalendarTableColor\"
selectedColor=\"" + encodeValue(value_).toString() + " \">");
+ w.write("<div class=\"CalendarTableColor\"
selectedColor=\"" + value + " \">");
int i = 0;
int count = 0;
while (i <= size() / items())
@@ -227,9 +233,9 @@
w.write("</div>");
w.write("<input class='UIColorPickerValue' name='" +
getId() + "' type='hidden'" + " id='" + getId() +
"' "
+ renderJsActions());
- if (value_ != null && value_.trim().length() > 0)
+ if (value != null && value.trim().length() > 0)
{
- w.write(" value='" + value_ + "'");
+ w.write(" value='" + value + "'");
}
w.write(" />");
w.write("</div>");
@@ -243,36 +249,6 @@
return super.setValue(arg0);
}
- private StringBuilder encodeValue(String value)
- {
- char[] chars = {'\'', '"'};
- String[] refs = {"'", """};
- StringBuilder builder = new StringBuilder(value);
- int idx;
- for (int i = 0; i < chars.length; i++)
- {
- idx = indexOf(builder, chars[i], 0);
- while (idx > -1)
- {
- builder = builder.replace(idx, idx + 1, refs[i]);
- idx = indexOf(builder, chars[i], idx);
- }
- }
- return builder;
- }
-
- private int indexOf(StringBuilder builder, char c, int from)
- {
- int i = from;
- while (i < builder.length())
- {
- if (builder.charAt(i) == c)
- return i;
- i++;
- }
- return -1;
- }
-
static public class Colors
{
Modified:
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/ext/UIFormComboBox.java
===================================================================
---
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/ext/UIFormComboBox.java 2011-09-22
11:32:42 UTC (rev 7482)
+++
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/ext/UIFormComboBox.java 2011-09-22
11:58:08 UTC (rev 7483)
@@ -23,6 +23,7 @@
import org.exoplatform.webui.core.model.SelectItemOption;
import org.exoplatform.webui.form.UIForm;
import org.exoplatform.webui.form.UIFormInputBase;
+import org.gatein.common.text.EntityEncoder;
import java.io.Writer;
import java.util.HashMap;
@@ -193,6 +194,12 @@
}
text += "</div></div></div>";
options = options.substring(0, options.length() - 1) + "]";
+
+ String value = getValue();
+ if (value != null)
+ {
+ value = EntityEncoder.FULL.encode(value);
+ }
text += "<input type='hidden' name='" + getName() +
"' id='" + getId() + "'";
if (value_ != null && value_.trim().length() > 0)
{
Modified:
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/ext/UIFormInputSetWithAction.java
===================================================================
---
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/ext/UIFormInputSetWithAction.java 2011-09-22
11:32:42 UTC (rev 7482)
+++
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/ext/UIFormInputSetWithAction.java 2011-09-22
11:58:08 UTC (rev 7483)
@@ -19,7 +19,6 @@
package org.exoplatform.webui.form.ext;
-import org.exoplatform.webui.application.WebuiRequestContext;
import org.exoplatform.webui.config.annotation.ComponentConfig;
import org.exoplatform.webui.form.UIForm;
import org.exoplatform.webui.form.UIFormInput;
@@ -89,14 +88,6 @@
isShowActionInfo = isShow;
}
- /* (non-Javadoc)
- * @see
org.exoplatform.webui.form.UIFormInputSet#processRender(org.exoplatform.webui.application.WebuiRequestContext)
- */
- public void processRender(WebuiRequestContext context) throws Exception
- {
- super.processRender(context);
- }
-
/**
* Sets the actions.
*