From do-not-reply at jboss.org Mon Sep 12 06:38:27 2011
Content-Type: multipart/mixed; boundary="===============8443773437071123838=="
MIME-Version: 1.0
From: do-not-reply at jboss.org
To: gatein-commits at lists.jboss.org
Subject: [gatein-commits] gatein SVN: r7351 - in portal/branches/xss-issues:
 webui/portal/src/main/java/org/exoplatform/portal/webui/portal and 1 other
 directory.
Date: Mon, 12 Sep 2011 06:38:27 -0400
Message-ID: <201109121038.p8CAcRco015587@svn01.web.mwc.hst.phx2.redhat.com>

--===============8443773437071123838==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Author: ndkhoiits
Date: 2011-09-12 06:38:27 -0400 (Mon, 12 Sep 2011)
New Revision: 7351

Modified:
   portal/branches/xss-issues/portlet/exoadmin/src/main/webapp/groovy/navig=
ation/webui/component/UISiteManagement.gtmpl
   portal/branches/xss-issues/webui/portal/src/main/java/org/exoplatform/po=
rtal/webui/portal/UIPortalForm.java
Log:
GTNPORTAL-2062 XSS issue when entering site description

Modified: portal/branches/xss-issues/portlet/exoadmin/src/main/webapp/groov=
y/navigation/webui/component/UISiteManagement.gtmpl
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- portal/branches/xss-issues/portlet/exoadmin/src/main/webapp/groovy/navi=
gation/webui/component/UISiteManagement.gtmpl	2011-09-12 10:26:25 UTC (rev =
7350)
+++ portal/branches/xss-issues/portlet/exoadmin/src/main/webapp/groovy/navi=
gation/webui/component/UISiteManagement.gtmpl	2011-09-12 10:38:27 UTC (rev =
7351)
@@ -1,76 +1,81 @@
 <%
+  import org.exoplatform.portal.config.UserPortalConfigService;
   import org.exoplatform.webui.core.UIComponent ;
   import org.exoplatform.webui.form.UIForm;
-  import java.text.DateFormat;
-  import java.text.SimpleDateFormat;
-  import org.exoplatform.portal.config.UserPortalConfigService;
-   =

+  =

+  import org.gatein.common.text.EntityEncoder;
+  =

   String[] actions =3D  uicomponent.getActions();
   uicomponent.loadPortalConfigs();
   def rcontext =3D _ctx.getRequestContext();
   def userPortalConfigService =3D uicomponent.getApplicationComponent(User=
PortalConfigService.class);
   def defaultPortalName =3D userPortalConfigService.getDefaultPortal();
+  EntityEncoder encoder =3D EntityEncoder.FULL;
+  =

+  String editLayoutLabel =3D _ctx.appRes("UISiteManagement.label.editLayou=
t");
+  String editNavigationLabel =3D _ctx.appRes("UISiteManagement.label.editN=
av");
+  String editPortalPropLabel =3D _ctx.appRes("UISiteManagement.label.editP=
ortalProp");
+  String deletePortalLabel =3D _ctx.appRes("UISiteManagement.label.deleteP=
ortal");
 %>
 <div class=3D"UISiteManagement UIManagement" id=3D"<%=3Duicomponent.getId(=
);%>">
-	  <%
-		    for (portalConfig in uicomponent.getPortalConfigs())  {		      =

-	  %>
-		      	<table class=3D"ManagementBlock" style=3D"table-layout: fixed">
-		      		<tr>
-				      	<td class=3D"Image"><img src=3D"/exoadmin/skin/navigation/webui=
/component/background/PlImg.gif" alt=3D""/></td>
-				      	<td class=3D"Content">
+      <%
+            for (portalConfig in uicomponent.getPortalConfigs())  {       =
    =

+      %>
+                <table class=3D"ManagementBlock" style=3D"table-layout: fi=
xed">
+                    <tr>
+                        <td class=3D"Image"><img src=3D"/exoadmin/skin/nav=
igation/webui/component/background/PlImg.gif" alt=3D""/></td>
+                        <td class=3D"Content">
                            <div class=3D"Label"><%=3Duicomponent.getFieldV=
alue(portalConfig, 'name') %></div>
                            <%
-                           def siteLabel =3D uicomponent.getFieldValue(por=
talConfig, 'label');
-                           def siteDescription =3D uicomponent.getFieldVal=
ue(portalConfig, 'description');
-                           if (siteLabel !=3D null && siteLabel.trim().len=
gth() > 0)
-                           {
+                           String siteLabel =3D uicomponent.getFieldValue(=
portalConfig, 'label');
+                           if (siteLabel !=3D null && siteLabel.trim().len=
gth() > 0) {
+                              siteLabel =3D encoder.encode(siteLabel);
                               print """<div>$siteLabel</div>""";
                            }
-                           if (siteDescription !=3D null && siteDescriptio=
n.trim().length() > 0)
-                           {
+                           =

+                           String siteDescription =3D uicomponent.getField=
Value(portalConfig, 'description');
+                           if (siteDescription !=3D null && siteDescriptio=
n.trim().length() > 0) {
+                              siteDescription =3D encoder.encode(siteDescr=
iption);
                               print """<div>$siteDescription</div>""";
                            }
                            %>
-					    </td>
-				        <td class=3D"ActionBlock">
-					        	<a href=3D"<%=3Duicomponent.event("EditPortalLayout", portal=
Config.getName());%>" class=3D"EditLayoutIcon"><%=3D_ctx.appRes("UISiteMana=
gement.label.editLayout")%></a>
-					        	<a href=3D"<%=3Duicomponent.event("EditNavigation", portalCo=
nfig.getName());%>" class=3D"EditNavIcon"><%=3D_ctx.appRes("UISiteManagemen=
t.label.editNav")%></a>
-					        	<a href=3D"javascript:ajaxGet(eXo.env.server.createPortalURL=
('UIPortal', 'EditPortalProperties', true, [{name:'portalName',value:'<%=3D=
portalConfig.getName()%>'}]))" class=3D"EditNavIcon"><%=3D_ctx.appRes("UISi=
teManagement.label.editPortalProp")%></a>
-					        	=

-					        	<% if(defaultPortalName !=3D null && !defaultPortalName.equa=
ls(portalConfig.getName())) {%>
-					        		<a href=3D"<%=3Duicomponent.url("DeletePortal", portalConfi=
g.getName());%>" class=3D"DeleteIcon"><%=3D_ctx.appRes("UISiteManagement.la=
bel.deletePortal")%></a>
-					        	<% } %>
-				        </td>
-				      </tr>
-				    </table>    =

-		<%		    =

-		  }
-		%> =

-	<%
-		if(uicomponent.getPortalConfigs() !=3D null && uicomponent.getPortalConf=
igs().size() > 0){
-	%>
-	<div class=3D"UIAction"> =

+                        </td>
+                        <td class=3D"ActionBlock">
+                                <a href=3D"<%=3Duicomponent.event("EditPor=
talLayout", portalConfig.getName());%>" class=3D"EditLayoutIcon">$editLayou=
tLabel</a>
+                                <a href=3D"<%=3Duicomponent.event("EditNav=
igation", portalConfig.getName());%>" class=3D"EditNavIcon">$editNavigation=
Label</a>
+                                <a href=3D"javascript:ajaxGet(eXo.env.serv=
er.createPortalURL('UIPortal', 'EditPortalProperties', true, [{name:'portal=
Name',value:'<%=3DportalConfig.getName()%>'}]))" class=3D"EditNavIcon">$edi=
tPortalPropLabel</a>
+                                =

+                                <% if(defaultPortalName !=3D null && !defa=
ultPortalName.equals(portalConfig.getName())) {%>
+                                    <a href=3D"<%=3Duicomponent.url("Delet=
ePortal", portalConfig.getName());%>" class=3D"DeleteIcon">$deletePortalLab=
el</a>
+                                <% } %>
+                        </td>
+                      </tr>
+                    </table>    =

+        <%          =

+          }
+        %> =

+    <%
+        if(uicomponent.getPortalConfigs() !=3D null && uicomponent.getPort=
alConfigs().size() > 0){
+    %>
+    <div class=3D"UIAction"> =

     <table class=3D"ActionContainer">
-	    <tr>
-	    	<td>
-		      <div onclick=3D"ajaxGet(eXo.env.server.createPortalURL('UIWorkingW=
orkspace', 'CreatePortal', true))" class=3D"ActionButton BlueButton">
-		        <div class=3D"ButtonLeft">
-		          <div class=3D"ButtonRight">
-		            <div class=3D"ButtonMiddle">
-		              <a href=3D"javascript:void(0);"><%=3D_ctx.appRes(uicompone=
nt.getId() + ".action.addNewPortal")%></a>
-		            </div>
-		          </div>
-		        </div>
-		       </div>
-		    </td>
+        <tr>
+            <td>
+              <div onclick=3D"ajaxGet(eXo.env.server.createPortalURL('UIWo=
rkingWorkspace', 'CreatePortal', true))" class=3D"ActionButton BlueButton">
+                <div class=3D"ButtonLeft">
+                  <div class=3D"ButtonRight">
+                    <div class=3D"ButtonMiddle">
+                      <a href=3D"javascript:void(0);"><%=3D_ctx.appRes(uic=
omponent.getId() + ".action.addNewPortal")%></a>
+                    </div>
+                  </div>
+                </div>
+               </div>
+            </td>
       </tr>
- 	  </table>
-	</div>
-	<%
-		}
-	%>
-	<%uicomponent.renderChildren();%>
-</div>
-
-
+      </table>
+    </div>
+    <%
+        }
+    %>
+    <%uicomponent.renderChildren();%>
+</div>
\ No newline at end of file

Modified: portal/branches/xss-issues/webui/portal/src/main/java/org/exoplat=
form/portal/webui/portal/UIPortalForm.java
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- portal/branches/xss-issues/webui/portal/src/main/java/org/exoplatform/p=
ortal/webui/portal/UIPortalForm.java	2011-09-12 10:26:25 UTC (rev 7350)
+++ portal/branches/xss-issues/webui/portal/src/main/java/org/exoplatform/p=
ortal/webui/portal/UIPortalForm.java	2011-09-12 10:38:27 UTC (rev 7351)
@@ -63,6 +63,7 @@
 import org.exoplatform.webui.form.UIFormTabPane;
 import org.exoplatform.webui.form.validator.IdentifierValidator;
 import org.exoplatform.webui.form.validator.MandatoryValidator;
+import org.exoplatform.webui.form.validator.SpecialCharacterValidator;
 import org.exoplatform.webui.form.validator.StringLengthValidator;
 import org.exoplatform.webui.organization.UIListPermissionSelector;
 import org.exoplatform.webui.organization.UIListPermissionSelector.EmptyIt=
eratorValidator;
@@ -242,7 +243,7 @@
          new UIFormStringInput(FIELD_NAME, FIELD_NAME, null).addValidator(=
MandatoryValidator.class).addValidator(
             StringLengthValidator.class, 3, 30).addValidator(IdentifierVal=
idator.class).setEditable(false));
       =

-      uiSettingSet.addUIFormInput(new UIFormStringInput(FIELD_LABEL, FIELD=
_LABEL, null));
+      uiSettingSet.addUIFormInput(new UIFormStringInput(FIELD_LABEL, FIELD=
_LABEL, null).addValidator(SpecialCharacterValidator.class));
       uiSettingSet.addUIFormInput(new UIFormStringInput(FIELD_DESCRIPTION,=
 FIELD_DESCRIPTION, null));
       uiSettingSet.addUIFormInput(new UIFormSelectBox(FIELD_LOCALE, FIELD_=
LOCALE, languages).addValidator(MandatoryValidator.class));
       =



--===============8443773437071123838==--