[gatein-commits] gatein SVN: r2688 - portal/branches/EPP_5_0_Branch/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component.

Tuesday, 20 April 2010


Author: thomas.heute(a)jboss.com
Date: 2010-04-20 12:06:42 -0400 (Tue, 20 Apr 2010)
New Revision: 2688

Modified:
  
portal/branches/EPP_5_0_Branch/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIApplicationInfo.gtmpl
  
portal/branches/EPP_5_0_Branch/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIApplicationOrganizer.gtmpl
Log:
JBEPP-312: JS Injection in App.registry - portlet description and display name


Modified:
portal/branches/EPP_5_0_Branch/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIApplicationInfo.gtmpl
===================================================================
---
portal/branches/EPP_5_0_Branch/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIApplicationInfo.gtmpl	2010-04-20
15:59:07 UTC (rev 2687)
+++
portal/branches/EPP_5_0_Branch/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIApplicationInfo.gtmpl	2010-04-20
16:06:42 UTC (rev 2688)
@@ -1,17 +1,24 @@
-<%	
+<%
+import org.gatein.common.text.EntityEncoder;	
 def application = uicomponent.getApplication();
 def category = uicomponent.getApplicationCategory();
 String name = application.getApplicationName();
 String srcBG = application.getIconURL();
 String srcBGError =
"/eXoResources/skin/sharedImages/Icon80x80/DefaultPortlet.png";
+
+EntityEncoder encoder = EntityEncoder.FULL;
+
+String categoryDisplayName = encoder.encode(category.getDisplayName());
+String applicationDisplayName = encoder.encode(application.getDisplayName());
+String applicationDescription = encoder.encode(application.getDescription());
 %>
 <div class="$uicomponent.id" id="$uicomponent.id">
 	<div class="UIBreadcumb">
 		<div class="ControlIcon EditIcon"
title="<%=_ctx.appRes("UIApplicationInfo.title.editApplication")%>"
onclick="<%= uicomponent.event("EditApplication")
%>"><span></span></div>
 		<div class="BreadcumbInfo">
-			<div class="LeftBlock" title="<%= category.getDisplayName()
%>"><%= category.getDisplayName() %></div> 																
+			<div class="LeftBlock" title="<%= category.getDisplayName()
%>"><%= categoryDisplayName %></div> 																
 			<div
class="RightBlackGridArrow16x16Icon"><span></span></div>									
-			<div class="Selected" title="<%= application.getDisplayName()
%> "><%= application.getDisplayName() %></div> 
+			<div class="Selected" title="<%= application.getDisplayName()
%> "><%= applicationDisplayName %></div> 
 		</div>
 	</div>
 	<div class="Application">
@@ -22,7 +29,7 @@
 			<div class="ApplicationContent">
 				<div class="TitleBarApplication">
 					<span
class="LeftLabel"><%=_ctx.appRes("UIApplicationInfo.label.displayName")%></span>
-					<span class="RightLabel"><%= application.getDisplayName()
%></span>				
+					<span class="RightLabel"><%= applicationDisplayName
%></span>				
 				</div>
 				<div class="ApplicationContentLabel">
 					<div class="ContentLabel">
@@ -31,7 +38,7 @@
 					</div>
 					<div class="ContentLabel">
 						<span
class="LeftLabel"><%=_ctx.appRes("UIApplicationInfo.label.description")%></span>
-						<span class="RightLabel"><%= application.getDescription()
%></span>
+						<span class="RightLabel"><%= applicationDescription
%></span>
 					</div>
 				</div>
 			</div>
@@ -40,7 +47,7 @@
 				<table class="TitleBarApplication">
 					<tr>
 						<td
class="LeftLabel"><%=_ctx.appRes("UIApplicationInfo.label.displayName")%></td>
-						<td class="RightLabel" title=" <%=
application.getDisplayName() %> "><%= application.getDisplayName()
%></td>
+						<td class="RightLabel" title=" <%=
application.getDisplayName() %> "><%= applicationDisplayName
%></td>
 					</tr>
 				</table>
 				<table>
@@ -52,7 +59,7 @@
 				<table>
 					<tr>
 						<td
class="LeftLabel"><%=_ctx.appRes("UIApplicationInfo.label.description")%></td>
-						<td class="RightLabel" title=" <%=
application.getDescription() %> "><%= application.getDescription()
%></td>
+						<td class="RightLabel" title=" <%=
application.getDescription() %> "><%= applicationDescription
%></td>
 					</tr>
 				</table>
 			</div>
@@ -64,4 +71,4 @@
 			<% uicomponent.renderChildren() %>
 		</div>
 	</div>
-</div>
\ No newline at end of file
+</div>

Modified:
portal/branches/EPP_5_0_Branch/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIApplicationOrganizer.gtmpl
===================================================================
---
portal/branches/EPP_5_0_Branch/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIApplicationOrganizer.gtmpl	2010-04-20
15:59:07 UTC (rev 2687)
+++
portal/branches/EPP_5_0_Branch/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIApplicationOrganizer.gtmpl	2010-04-20
16:06:42 UTC (rev 2688)
@@ -1,4 +1,5 @@
 <%	
+import org.gatein.common.text.EntityEncoder;
 def categories = uicomponent.getCategories();
 def selectedCategory = uicomponent.getSelectedCategory();
 def apps = uicomponent.getApplications();
@@ -28,6 +29,8 @@
 								cName	= category.getName();
 								displayName =category.getDisplayName();
 								if(displayName == null || displayName.length() < 1 ) displayName = cName;
+								EntityEncoder encoder = EntityEncoder.FULL;
+								displayName = encoder.encode(displayName);
 								if(selectedCategory != null && cName == selectedCategory.getName()) {
 									isSelected = true;
 									cTab = "SelectedTab";
@@ -64,8 +67,11 @@
 									String appName= application.getApplicationName();
 								%>
 									<div class="ItemContent $cssClass">
-									<% def applicationLabel = application.getDisplayName() %>
-										<a onclick="<%= uicomponent.event("SelectApplication",
"$appName") %>" class="ItemLabel" title="<%=
application.getDisplayName() %>"><%= (applicationLabel.length() <= 30) ?
applicationLabel : applicationLabel.substring(0, 27)+"..."
%><span></span></a>
+									<% def applicationLabel = application.getDisplayName() 
+									String displayApplicationName = (applicationLabel.length() <= 30) ?
applicationLabel : applicationLabel.substring(0, 27)+"...";
+                                                                       
displayApplicationName = encoder.encode(displayApplicationName);
+									%>
+										<a onclick="<%= uicomponent.event("SelectApplication",
"$appName") %>" class="ItemLabel" title="<%=
application.getDisplayName() %>"><%= displayApplicationName
%><span></span></a>
 										<a class="ControlIcon DeletePortalIcon"
title="<%=_ctx.appRes("UIOrganizer.title.deleteApplication")%>"
onclick="<%= uicomponent.event("RemoveApplication", appName)
%>"><span></span></a>
 										<div class="ClearBoth"><span></span></div>
 									</div>
@@ -86,4 +92,4 @@
 		<div class="ClearLeft"><span></span></div>
 	</div>	
 	
-</div>
\ No newline at end of file
+</div>


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

[gatein-commits] gatein SVN: r2688 - portal/branches/EPP_5_0_Branch/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component.