gatein SVN: r7328 - in portal/branches/xss: web/portal/src/main/webapp/groovy/portal/webui/application and 1 other directories.
6:23 a.m.
Author: ndkhoiits
Date: 2011-09-07 07:23:24 -0400 (Wed, 07 Sep 2011)
New Revision: 7328
Modified:
portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIApplicationForm.java
portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategoryForm.java
portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/application/UIApplicationList.gtmpl
portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/application/UIPortlet.gtmpl
portal/branches/xss/webui/dashboard/src/main/resources/groovy/dashboard/webui/component/UIDashboardSelectContainer.gtmpl
Log:
GTNPORTAL-2065 XSS vulnerability at portlet description
Modified:
portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIApplicationForm.java
===================================================================
---
portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIApplicationForm.java 2011-09-07
09:49:58 UTC (rev 7327)
+++
portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIApplicationForm.java 2011-09-07
11:23:24 UTC (rev 7328)
@@ -40,6 +40,7 @@
import org.exoplatform.webui.form.UIFormTextAreaInput;
import org.exoplatform.webui.form.validator.MandatoryValidator;
import org.exoplatform.webui.form.validator.NameValidator;
+import org.exoplatform.webui.form.validator.SpecialCharacterValidator;
import org.exoplatform.webui.form.validator.StringLengthValidator;
import java.util.Calendar;
@@ -56,7 +57,7 @@
@Serialized
public class UIApplicationForm extends UIForm
{
-
+
private Application application_;
public UIApplicationForm() throws Exception
@@ -64,7 +65,7 @@
addUIFormInput(new UIFormStringInput("applicationName",
"applicationName", null).addValidator(
MandatoryValidator.class).addValidator(StringLengthValidator.class, 3,
30).addValidator(NameValidator.class));
addUIFormInput(new UIFormStringInput("displayName",
"displayName", null).addValidator(
- StringLengthValidator.class, 3, 30));
+ StringLengthValidator.class, 3,
30).addValidator(SpecialCharacterValidator.class));
addUIFormInput(new UIFormTextAreaInput("description",
"description", null).addValidator(
StringLengthValidator.class, 0, 255));
}
Modified:
portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategoryForm.java
===================================================================
---
portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategoryForm.java 2011-09-07
09:49:58 UTC (rev 7327)
+++
portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategoryForm.java 2011-09-07
11:23:24 UTC (rev 7328)
@@ -38,6 +38,7 @@
import org.exoplatform.webui.form.UIFormTextAreaInput;
import org.exoplatform.webui.form.validator.IdentifierValidator;
import org.exoplatform.webui.form.validator.MandatoryValidator;
+import org.exoplatform.webui.form.validator.SpecialCharacterValidator;
import org.exoplatform.webui.form.validator.StringLengthValidator;
import org.exoplatform.webui.organization.UIListPermissionSelector;
import
org.exoplatform.webui.organization.UIListPermissionSelector.EmptyIteratorValidator;
@@ -74,7 +75,7 @@
MandatoryValidator.class).addValidator(StringLengthValidator.class, 3,
30).addValidator(
IdentifierValidator.class));
uiCategorySetting.addUIFormInput(new UIFormStringInput(FIELD_DISPLAY_NAME,
FIELD_DISPLAY_NAME, null)
- .addValidator(StringLengthValidator.class, 3, 30));
+ .addValidator(StringLengthValidator.class, 3,
30).addValidator(SpecialCharacterValidator.class));
uiCategorySetting.addUIFormInput(new UIFormTextAreaInput(FIELD_DESCRIPTION,
FIELD_DESCRIPTION, null)
.addValidator(StringLengthValidator.class, 0, 255));
addChild(uiCategorySetting);
Modified:
portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/application/UIApplicationList.gtmpl
===================================================================
---
portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/application/UIApplicationList.gtmpl 2011-09-07
09:49:58 UTC (rev 7327)
+++
portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/application/UIApplicationList.gtmpl 2011-09-07
11:23:24 UTC (rev 7328)
@@ -15,15 +15,15 @@
<%
String cTab, cName, description, displayName;
boolean isSelected = false;
+ EntityEncoder encoder = EntityEncoder.FULL;
for(category in categories) {
- cName = category.getName();
- EntityEncoder encoder = EntityEncoder.FULL;
+ cName = category.getName();
displayName = encoder.encode(category.getDisplayName());
- if(displayName == null || displayName.length() < 1 ) displayName = cName;
- if(selectedCategory != null && cName == selectedCategory.getName()) {
+ if (displayName == null || displayName.length() < 1 ) displayName = cName;
+ if (selectedCategory != null && cName == selectedCategory.getName()) {
isSelected = true;
cTab = "SelectedTab";
- }else {
+ } else {
isSelected = false;
cTab = "NormalTab";
}
@@ -34,11 +34,12 @@
<%= displayName %>
</a>
</div>
- <% if(isSelected) { %>
+ <% if (isSelected) { %>
<div class="UIVTabContent" style="display: block">
<%
- for(application in uicomponent.getApplications()) {
- String applicationLabel = application.getDisplayName();
+ for (application in uicomponent.getApplications()) {
+ String applicationName = encoder.encode(application.getDisplayName());
+ String applicationDescription = encoder.encode(application.getDescription());
String srcBG = application.getIconURL();
String srcBGError =
"/eXoResources/skin/sharedImages/Icon80x80/DefaultPortlet.png";
%>
@@ -46,9 +47,9 @@
<div class="VTabContentBG">
<div class="OverflowContainer">
<img src="<%=(srcBG!=null &&
srcBG.length()>0)?srcBG:srcBGError%>"
onError="src='$srcBGError'" alt=""/>
- <div class="ContentInfo" title="<%=
application.getDisplayName() %>" style="cursor:move;">
- <div class="LabelTab">$applicationLabel</div>
- <div class="LableText"><%= application.getDescription()
%></div>
+ <div class="ContentInfo" title="$applicationName"
style="cursor:move;">
+ <div class="LabelTab">$applicationName</div>
+ <div class="LableText">$applicationDescription</div>
</div>
<div class="ClearLeft"><span></span></div>
</div>
Modified:
portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/application/UIPortlet.gtmpl
===================================================================
---
portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/application/UIPortlet.gtmpl 2011-09-07
09:49:58 UTC (rev 7327)
+++
portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/application/UIPortlet.gtmpl 2011-09-07
11:23:24 UTC (rev 7328)
@@ -1,9 +1,11 @@
<%
- import org.exoplatform.portal.webui.page.UIPage;
- import javax.portlet.WindowState;
+ import org.exoplatform.portal.webui.workspace.UIPortalApplication;
import org.exoplatform.web.application.JavascriptManager;
- import org.exoplatform.portal.webui.workspace.UIPortalApplication;
+ import org.gatein.common.text.EntityEncoder;
+
+ import javax.portlet.WindowState;
+
def rcontext = _ctx.getRequestContext();
UIPortalApplication uiPortalApp = rcontext.getUIApplication();
@@ -17,9 +19,13 @@
String onControlOver = "eXo.webui.UIPortlet.onControlOver(this, true);";
String onControlOut = "eXo.webui.UIPortlet.onControlOver(this, false);";
+
WindowState windowState = uicomponent.getCurrentWindowState();
String portletId = uicomponent.getId();
+ EntityEncoder encoder = EntityEncoder.FULL;
+
+ String title = encoder.encode(uicomponent.getDisplayTitle());
if(uiPortalApp.isEditing()) {
%>
<div class="UIPortlet
<%=hasPermission?"":"ProtectedPortlet"%>"
id="UIPortlet-$portletId"
onmouseover="eXo.portal.UIPortal.blockOnMouseOver(event, this, true);"
onmouseout="eXo.portal.UIPortal.blockOnMouseOver(event, this, false);"
@@ -36,7 +42,7 @@
<div class="FixHeight">
<%
if(hasPermission) {
- print uicomponent.getDisplayTitle();
+ print title;
} else print "<div
class='ProtectedContent'>"+_ctx.appRes("UIPortlet.label.protectedContent")+"</div>";
%>
</div>
@@ -54,7 +60,6 @@
if(portalMode != uiPortalApp.CONTAINER_BLOCK_EDIT_MODE && portalMode !=
uiPortalApp.APP_BLOCK_EDIT_MODE) {
if(uicomponent.getShowInfoBar()) {
- String title = uicomponent.getDisplayTitle();
if(title == null || title.trim().length() < 1)
title = portletId;
/*Begin Window Portlet Bar*/
@@ -258,7 +263,6 @@
String portletIcon = uicomponent.getIcon();
if(portletIcon == null) portletIcon = "PortletIcon";
- String title = uicomponent.getDisplayTitle();
if(title.length() > 30) title = title.substring(0,27) +
"...";
%>
<div class="PortletIcon $portletIcon"><%=hasPermission
? title : _ctx.appRes("UIPortlet.label.protectedContent")%></div>
Modified:
portal/branches/xss/webui/dashboard/src/main/resources/groovy/dashboard/webui/component/UIDashboardSelectContainer.gtmpl
===================================================================
---
portal/branches/xss/webui/dashboard/src/main/resources/groovy/dashboard/webui/component/UIDashboardSelectContainer.gtmpl 2011-09-07
09:49:58 UTC (rev 7327)
+++
portal/branches/xss/webui/dashboard/src/main/resources/groovy/dashboard/webui/component/UIDashboardSelectContainer.gtmpl 2011-09-07
11:23:24 UTC (rev 7328)
@@ -1,4 +1,6 @@
<%
+ import org.gatein.common.text.EntityEncoder;
+
def uiDashboard =
uicomponent.getAncestorOfType(org.exoplatform.dashboard.webui.component.UIDashboard.class);
if(!uiDashboard.canEdit()) return;
@@ -6,6 +8,8 @@
def rcontext = _ctx.getRequestContext();
rcontext.getJavascriptManager().addJavascript("eXo.webui.UIDashboard.initPopup('"+uiPopup.getId()+"');");
+ EntityEncoder encoder = EntityEncoder.FULL;
+
%>
<div class="$uicomponent.id" id="UIDashboardSelectContainer"
style="display: <%= uiDashboard.isShowSelectPopup()? "block" :
"none"; %>;">
<div class="DashboardItemContainer ItemContainer">
@@ -21,13 +25,14 @@
<% List categories = uicomponent.getCategories();
if(categories != null && categories.size() > 0){
for(category in categories){
+ String categoryName = encoder.encode(category.getDisplayName());
%>
<div class="GadgetCategory" id="${category.getName()}">
<div class="GadgetTab SelectedTab"
onclick="eXo.webui.UIDashboard.onTabClick(this, 'NormalTab',
'SelectedTab')">
<div class="LeftCategoryTitleBar">
<div class="RightCategoryTitleBar">
<div class="MiddleCategoryTitleBar">
- <div class="ArrowIcon"
title="${category.getDisplayName()}">${category.getDisplayName()}</div>
+ <div class="ArrowIcon"
title="$categoryName">$categoryName</div>
</div>
</div>
</div>
@@ -40,12 +45,12 @@
// uiPopup.setWindowSize(-1, 600);
for(gadget in lstGadgets){
+ String gadgetName = encoder.encode(gadget.getDisplayName());
%>
<div class="UIGadget SelectItem Item"
id="${gadget.getId()}" style="top:0px; left:0px;">
<div class="GadgetControl">
- <% def label = gadget.getDisplayName() %>
- <div class="GadgetTitle" style="cursor:move;"
title="$label">
- <%= (label.length() <= 23) ? label : label.substring(0,
20)+"..." %>
+ <div class="GadgetTitle" style="cursor:move;"
title="$gadgetName">
+ <%= (gadgetName.length() <= 23) ? gadgetName :
gadgetName.substring(0, 20)+"..." %>
</div>
</div>
</div>
4859
days inactive
4859
days old
gatein-commits@lists.jboss.org
0 comments
1 participants
participants (1)
-
do-not-reply@jboss.org