[gatein-commits] gatein SVN: r7350 - portal/branches/xss-issues/portlet/exoadmin/src/main/webapp/groovy/navigation/webui/component.

Monday, 12 September 2011


Author: ndkhoiits
Date: 2011-09-12 06:26:25 -0400 (Mon, 12 Sep 2011)
New Revision: 7350

Modified:
  
portal/branches/xss-issues/portlet/exoadmin/src/main/webapp/groovy/navigation/webui/component/UINavigationGrid.gtmpl
Log:
GTNPORTAL-2061 XSS in Group description content
GTNPORTAL-2066 XSS vulnerabilities when creating new group

Modified:
portal/branches/xss-issues/portlet/exoadmin/src/main/webapp/groovy/navigation/webui/component/UINavigationGrid.gtmpl
===================================================================
---
portal/branches/xss-issues/portlet/exoadmin/src/main/webapp/groovy/navigation/webui/component/UINavigationGrid.gtmpl	2011-09-12
09:58:42 UTC (rev 7349)
+++
portal/branches/xss-issues/portlet/exoadmin/src/main/webapp/groovy/navigation/webui/component/UINavigationGrid.gtmpl	2011-09-12
10:26:25 UTC (rev 7350)
@@ -1,34 +1,51 @@
-<%	
-	import java.util.List;
-	import org.exoplatform.webui.organization.OrganizationUtils;
-	import org.exoplatform.portal.mop.SiteKey;
-	
-	def parent = uicomponent.getParent();
-	def navigations = uicomponent.getBeans();
+<%  
+    import org.exoplatform.portal.mop.SiteKey;
+    import org.exoplatform.webui.organization.OrganizationUtils;
+    import org.gatein.common.text.EntityEncoder;
+    
+    import java.util.List;
+
+    def parent = uicomponent.getParent();
+    def navigations = uicomponent.getBeans();
 %>
 
 <div id="$uicomponent.id" class="FeedBox">
-	<% 
-	boolean isEvenRow = true;
-	SiteKey siteKey;
-	for(navigation in navigations) {
-			siteKey = navigation.getKey();
-			deleteLink =
parent.event("DeleteNavigation",String.valueOf(siteKey.getName()));
-			editProperties =
parent.event("EditProperties",String.valueOf(siteKey.getName()));
-			editLink =
parent.event("EditNavigation",String.valueOf(siteKey.getName()));%>
+    <% 
+    boolean isEvenRow = true;
+    SiteKey siteKey;
+    EntityEncoder encoder = EntityEncoder.FULL;
+    String descriptionLabel =
_ctx.appRes("UIGroupNavigationManagement.Label.Description");
+    String editNavigationLabel =
_ctx.appRes("UIGroupNavigationManagement.Label.EditNavigation");
+    String editPropertiesLabel =
_ctx.appRes("UIGroupNavigationManagement.Label.EditProperties");
+    String deleteNavigationLabel =
_ctx.appRes("UIGroupNavigationManagement.Label.DeleteNavigation");
+    for(navigation in navigations) {
+       siteKey = navigation.getKey();
+       String groupDescription =
OrganizationUtils.getGroupDescription(siteKey.getName());
+       if (groupDescription) {
+          groupDescription = encoder.encode(groupDescription);
+       }
+       
+       String groupLabel = OrganizationUtils.getGroupLabel(siteKey.getName())
+       if (groupLabel) {
+          groupLabel = encoder.encode(groupLabel);
+       }
+       
+       String deleteLink =
parent.event("DeleteNavigation",String.valueOf(siteKey.getName()));
+       String editProperties =
parent.event("EditProperties",String.valueOf(siteKey.getName()));
+       String editLink =
parent.event("EditNavigation",String.valueOf(siteKey.getName()));%>
   <table class="ManagementBlock <%=isEvenRow ?
"EvenRow":"OddRow"%>" style="table-layout:
fixed">
-	  <tr>
-		  <td class="Image"><img
src="/exoadmin/skin/navigation/webui/component/background/GroupImage.png"
alt="" /></td>
-   		<td class="Content">
-   			<div class="Label" title="$siteKey.name"><%=
OrganizationUtils.getGroupLabel(siteKey.getName()) %></div>
-  
			<div><%=_ctx.appRes("UIGroupNavigationManagement.Label.Description")%>:
<%= OrganizationUtils.getGroupDescription(siteKey.getName()) %></div>
-   		</td>	
-     	<td class="ActionBlock">
-     		<a href="<%=editLink%>"
class="EditNavIcon"><%=_ctx.appRes("UIGroupNavigationManagement.Label.EditNavigation")%></a>

-     		<a href="<%=editProperties%>"
class="EditProIcon"><%=_ctx.appRes("UIGroupNavigationManagement.Label.EditProperties")%></a>

-     		<a href="<%=deleteLink%>"
class="DeleteIcon"><%=_ctx.appRes("UIGroupNavigationManagement.Label.DeleteNavigation")%></a>
-	  	</td>	
-    </tr>								
+      <tr>
+        <td class="Image"><img
src="/exoadmin/skin/navigation/webui/component/background/GroupImage.png"
alt="" /></td>
+        <td class="Content">
+            <div class="Label"
title="$siteKey.name">$groupLabel</div>
+            <div>$descriptionLabel: $groupDescription</div>
+        </td>   
+        <td class="ActionBlock">
+            <a href="<%=editLink%>"
class="EditNavIcon">$editNavigationLabel</a> 
+            <a href="<%=editProperties%>"
class="EditProIcon">$editPropertiesLabel</a> 
+            <a href="<%=deleteLink%>"
class="DeleteIcon">$deleteNavigationLabel</a>
+        </td>   
+    </tr>                               
   </table>  
-	<% isEvenRow = !isEvenRow;} %>    
+    <% isEvenRow = !isEvenRow;} %>    
 </div>


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

[gatein-commits] gatein SVN: r7350 - portal/branches/xss-issues/portlet/exoadmin/src/main/webapp/groovy/navigation/webui/component.