1:10 a.m.
Author: ndkhoiits
Date: 2011-09-14 02:10:00 -0400 (Wed, 14 Sep 2011)
New Revision: 7399
Modified:
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/core/UITree.java
portal/branches/xss/webui/eXo/src/main/java/org/exoplatform/webui/organization/UIGroupMembershipSelector.java
portal/branches/xss/webui/eXo/src/main/java/org/exoplatform/webui/organization/UIGroupSelector.java
portal/branches/xss/webui/eXo/src/main/java/org/exoplatform/webui/organization/account/UIGroupSelector.java
Log:
GTNPORTAL-2090 XSS issue in application select permission editor
Modified:
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/core/UITree.java
===================================================================
---
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/core/UITree.java 2011-09-14
04:48:39 UTC (rev 7398)
+++
portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/core/UITree.java 2011-09-14
06:10:00 UTC (rev 7399)
@@ -27,6 +27,7 @@
import org.exoplatform.webui.event.Event;
import org.exoplatform.webui.event.EventListener;
import org.exoplatform.webui.form.UIForm;
+import org.gatein.common.text.EntityEncoder;
import java.lang.reflect.Method;
import java.util.Collection;
@@ -117,6 +118,11 @@
* A right click popup menu
*/
private UIRightClickPopupMenu uiPopupMenu_;
+
+ /**
+ * Encode the value before rendering or not
+ */
+ private boolean escapeHTML_ = false;
public Object getFieldValue(Object bean, String field) throws Exception
{
@@ -260,6 +266,16 @@
uiPopupMenu_.setParent(this);
}
+ public void setEscapeHTML(boolean escape)
+ {
+ escapeHTML_ = escape;
+ }
+
+ public boolean getEscapeHTML()
+ {
+ return escapeHTML_;
+ }
+
public String event(String name, String beanId) throws Exception
{
UIForm uiForm = getAncestorOfType(UIForm.class);
@@ -305,6 +321,12 @@
{
fieldValue = fieldValue.substring(0, getMaxTitleCharacter() - 3) +
"...";
}
+
+ if (escapeHTML_)
+ {
+ fieldValue = fieldValue != null ? EntityEncoder.FULL.encode(fieldValue) :
fieldValue;
+ }
+
if (nodeIcon.equals(expandIcon))
{
builder.append(" <div
class=\"").append(nodeIcon).append("\"
onclick=\"").append(actionLink).append("\">");
Modified:
portal/branches/xss/webui/eXo/src/main/java/org/exoplatform/webui/organization/UIGroupMembershipSelector.java
===================================================================
---
portal/branches/xss/webui/eXo/src/main/java/org/exoplatform/webui/organization/UIGroupMembershipSelector.java 2011-09-14
04:48:39 UTC (rev 7398)
+++
portal/branches/xss/webui/eXo/src/main/java/org/exoplatform/webui/organization/UIGroupMembershipSelector.java 2011-09-14
06:10:00 UTC (rev 7399)
@@ -68,6 +68,7 @@
tree.setSelectedIcon("PortalIcon");
tree.setBeanIdField("id");
tree.setBeanLabelField("label");
+ tree.setEscapeHTML(true);
uiBreadcumbs.setBreadcumbsStyle("UIExplorerHistoryPath");
}
Modified:
portal/branches/xss/webui/eXo/src/main/java/org/exoplatform/webui/organization/UIGroupSelector.java
===================================================================
---
portal/branches/xss/webui/eXo/src/main/java/org/exoplatform/webui/organization/UIGroupSelector.java 2011-09-14
04:48:39 UTC (rev 7398)
+++
portal/branches/xss/webui/eXo/src/main/java/org/exoplatform/webui/organization/UIGroupSelector.java 2011-09-14
06:10:00 UTC (rev 7399)
@@ -71,6 +71,7 @@
tree.setBeanIdField("id");
//tree.setBeanLabelField("groupName");
tree.setBeanLabelField("label");
+ tree.setEscapeHTML(true);
uiBreadcumbs.setBreadcumbsStyle("UIExplorerHistoryPath");
}
Modified:
portal/branches/xss/webui/eXo/src/main/java/org/exoplatform/webui/organization/account/UIGroupSelector.java
===================================================================
---
portal/branches/xss/webui/eXo/src/main/java/org/exoplatform/webui/organization/account/UIGroupSelector.java 2011-09-14
04:48:39 UTC (rev 7398)
+++
portal/branches/xss/webui/eXo/src/main/java/org/exoplatform/webui/organization/account/UIGroupSelector.java 2011-09-14
06:10:00 UTC (rev 7399)
@@ -75,6 +75,7 @@
tree.setBeanIdField("id");
//tree.setBeanLabelField("groupName");
tree.setBeanLabelField("label");
+ tree.setEscapeHTML(true);
uiBreadcumbs.setBreadcumbsStyle("UIExplorerHistoryPath");
}