From do-not-reply at jboss.org Mon Sep 12 06:26:26 2011
Content-Type: multipart/mixed; boundary="===============8743664616212184529=="
MIME-Version: 1.0
From: do-not-reply at jboss.org
To: gatein-commits at lists.jboss.org
Subject: [gatein-commits] gatein SVN: r7350 -
 portal/branches/xss-issues/portlet/exoadmin/src/main/webapp/groovy/navigation/webui/component.
Date: Mon, 12 Sep 2011 06:26:25 -0400
Message-ID: <201109121026.p8CAQPN4013434@svn01.web.mwc.hst.phx2.redhat.com>

--===============8743664616212184529==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Author: ndkhoiits
Date: 2011-09-12 06:26:25 -0400 (Mon, 12 Sep 2011)
New Revision: 7350

Modified:
   portal/branches/xss-issues/portlet/exoadmin/src/main/webapp/groovy/navig=
ation/webui/component/UINavigationGrid.gtmpl
Log:
GTNPORTAL-2061 XSS in Group description content
GTNPORTAL-2066 XSS vulnerabilities when creating new group

Modified: portal/branches/xss-issues/portlet/exoadmin/src/main/webapp/groov=
y/navigation/webui/component/UINavigationGrid.gtmpl
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- portal/branches/xss-issues/portlet/exoadmin/src/main/webapp/groovy/navi=
gation/webui/component/UINavigationGrid.gtmpl	2011-09-12 09:58:42 UTC (rev =
7349)
+++ portal/branches/xss-issues/portlet/exoadmin/src/main/webapp/groovy/navi=
gation/webui/component/UINavigationGrid.gtmpl	2011-09-12 10:26:25 UTC (rev =
7350)
@@ -1,34 +1,51 @@
-<%	=

-	import java.util.List;
-	import org.exoplatform.webui.organization.OrganizationUtils;
-	import org.exoplatform.portal.mop.SiteKey;
-	=

-	def parent =3D uicomponent.getParent();
-	def navigations =3D uicomponent.getBeans();
+<%  =

+    import org.exoplatform.portal.mop.SiteKey;
+    import org.exoplatform.webui.organization.OrganizationUtils;
+    import org.gatein.common.text.EntityEncoder;
+    =

+    import java.util.List;
+
+    def parent =3D uicomponent.getParent();
+    def navigations =3D uicomponent.getBeans();
 %>
 =

 <div id=3D"$uicomponent.id" class=3D"FeedBox">
-	<% =

-	boolean isEvenRow =3D true;
-	SiteKey siteKey;
-	for(navigation in navigations) {
-			siteKey =3D navigation.getKey();
-			deleteLink =3D parent.event("DeleteNavigation",String.valueOf(siteKey.g=
etName()));
-			editProperties =3D parent.event("EditProperties",String.valueOf(siteKey=
.getName()));
-			editLink =3D parent.event("EditNavigation",String.valueOf(siteKey.getNa=
me()));%>
+    <% =

+    boolean isEvenRow =3D true;
+    SiteKey siteKey;
+    EntityEncoder encoder =3D EntityEncoder.FULL;
+    String descriptionLabel =3D _ctx.appRes("UIGroupNavigationManagement.L=
abel.Description");
+    String editNavigationLabel =3D _ctx.appRes("UIGroupNavigationManagemen=
t.Label.EditNavigation");
+    String editPropertiesLabel =3D _ctx.appRes("UIGroupNavigationManagemen=
t.Label.EditProperties");
+    String deleteNavigationLabel =3D _ctx.appRes("UIGroupNavigationManagem=
ent.Label.DeleteNavigation");
+    for(navigation in navigations) {
+       siteKey =3D navigation.getKey();
+       String groupDescription =3D OrganizationUtils.getGroupDescription(s=
iteKey.getName());
+       if (groupDescription) {
+          groupDescription =3D encoder.encode(groupDescription);
+       }
+       =

+       String groupLabel =3D OrganizationUtils.getGroupLabel(siteKey.getNa=
me())
+       if (groupLabel) {
+          groupLabel =3D encoder.encode(groupLabel);
+       }
+       =

+       String deleteLink =3D parent.event("DeleteNavigation",String.valueO=
f(siteKey.getName()));
+       String editProperties =3D parent.event("EditProperties",String.valu=
eOf(siteKey.getName()));
+       String editLink =3D parent.event("EditNavigation",String.valueOf(si=
teKey.getName()));%>
   <table class=3D"ManagementBlock <%=3DisEvenRow ? "EvenRow":"OddRow"%>" s=
tyle=3D"table-layout: fixed">
-	  <tr>
-		  <td class=3D"Image"><img src=3D"/exoadmin/skin/navigation/webui/compon=
ent/background/GroupImage.png" alt=3D"" /></td>
-   		<td class=3D"Content">
-   			<div class=3D"Label" title=3D"$siteKey.name"><%=3D OrganizationUtils=
.getGroupLabel(siteKey.getName()) %></div>
-   			<div><%=3D_ctx.appRes("UIGroupNavigationManagement.Label.Description=
")%>: <%=3D OrganizationUtils.getGroupDescription(siteKey.getName()) %></di=
v>
-   		</td>	=

-     	<td class=3D"ActionBlock">
-     		<a href=3D"<%=3DeditLink%>" class=3D"EditNavIcon"><%=3D_ctx.appRes(=
"UIGroupNavigationManagement.Label.EditNavigation")%></a> =

-     		<a href=3D"<%=3DeditProperties%>" class=3D"EditProIcon"><%=3D_ctx.a=
ppRes("UIGroupNavigationManagement.Label.EditProperties")%></a> =

-     		<a href=3D"<%=3DdeleteLink%>" class=3D"DeleteIcon"><%=3D_ctx.appRes=
("UIGroupNavigationManagement.Label.DeleteNavigation")%></a>
-	  	</td>	=

-    </tr>								=

+      <tr>
+        <td class=3D"Image"><img src=3D"/exoadmin/skin/navigation/webui/co=
mponent/background/GroupImage.png" alt=3D"" /></td>
+        <td class=3D"Content">
+            <div class=3D"Label" title=3D"$siteKey.name">$groupLabel</div>
+            <div>$descriptionLabel: $groupDescription</div>
+        </td>   =

+        <td class=3D"ActionBlock">
+            <a href=3D"<%=3DeditLink%>" class=3D"EditNavIcon">$editNavigat=
ionLabel</a> =

+            <a href=3D"<%=3DeditProperties%>" class=3D"EditProIcon">$editP=
ropertiesLabel</a> =

+            <a href=3D"<%=3DdeleteLink%>" class=3D"DeleteIcon">$deleteNavi=
gationLabel</a>
+        </td>   =

+    </tr>                               =

   </table>  =

-	<% isEvenRow =3D !isEvenRow;} %>    =

+    <% isEvenRow =3D !isEvenRow;} %>    =

 </div>


--===============8743664616212184529==--