gatein SVN: r7191 - epp/portal/branches/EPP_5_2_Branch/web/portal/src/main/webapp/groovy/portal/webui/application. - gatein-commits

Friday, 19 August 2011


Author: hfnukal
Date: 2011-08-19 14:18:07 -0400 (Fri, 19 Aug 2011)
New Revision: 7191

Modified:
  
epp/portal/branches/EPP_5_2_Branch/web/portal/src/main/webapp/groovy/portal/webui/application/UIApplicationList.gtmpl
Log:
JBEPP-353 JBEPP-1048 XSS vulnerability when adding portlet to category

Modified:
epp/portal/branches/EPP_5_2_Branch/web/portal/src/main/webapp/groovy/portal/webui/application/UIApplicationList.gtmpl
===================================================================
---
epp/portal/branches/EPP_5_2_Branch/web/portal/src/main/webapp/groovy/portal/webui/application/UIApplicationList.gtmpl	2011-08-19
17:52:11 UTC (rev 7190)
+++
epp/portal/branches/EPP_5_2_Branch/web/portal/src/main/webapp/groovy/portal/webui/application/UIApplicationList.gtmpl	2011-08-19
18:18:07 UTC (rev 7191)
@@ -39,17 +39,25 @@
 								<%
 								for(application in uicomponent.getApplications()) {
 									String applicationLabel = application.getDisplayName();
+                                    String applicationLabelFull = applicationLabel;
 									if(applicationLabel.length() > 30) applicationLabel =
applicationLabel.substring(0, 27) + "...";
+                                    applicationLabel =
encoder.encode(applicationLabel==null?"":applicationLabel);
+                                    applicationLabelFull =
encoder.encode(applicationLabelFull==null?"":applicationLabelFull);
 									String srcBG = application.getIconURL();
 									String srcBGError =
"/eXoResources/skin/sharedImages/Icon80x80/DefaultPortlet.png";
+
+                                    description = application.getDescription();
+                                    if(description == null) displayName = "";
+                                    description = encoder.encode(description);
+
 								%>
 									<div class="UIVTab VTabStyle3"
id="<%=application.getId();%>"
onmousedown="eXo.portal.PortalDragDrop.init.call(this, event);">
 										<div class="VTabContentBG">
 											<div class="OverflowContainer">
 												<img src="<%=(srcBG!=null &&
srcBG.length()>0)?srcBG:srcBGError%>"
onError="src='$srcBGError'"  alt=""/>
-												<div class="ContentInfo" title="<%=
application.getDisplayName() %>" style="cursor:move;">
+												<div class="ContentInfo" title="<%= applicationLabelFull
%>" style="cursor:move;">
 													<div class="LabelTab">$applicationLabel</div>
-													<div class="LableText"><%= application.getDescription()
%></div>
+													<div class="LableText"><%= description %></div>
 												</div>
 												<div class="ClearLeft"><span></span></div>
 											</div>


    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

gatein SVN: r7191 - epp/portal/branches/EPP_5_2_Branch/web/portal/src/main/webapp/groovy/portal/webui/application.