[gatein-commits] gatein SVN: r7325 - portal/branches/xss/portlet/exoadmin/src/main/webapp/groovy/navigation/webui/component.

Author: ndkhoiits Date: 2011-09-07 05:03:45 -0400 (Wed, 07 Sep 2011) New Revision: 7325 Modified: portal/branches/xss/portlet/exoadmin/src/main/webapp/groovy/navigation/webui/component/UINavigationGrid.gtmpl Log: GTNPORTAL-2061 XSS in Group description content Modified: portal/branches/xss/portlet/exoadmin/src/main/webapp/groovy/navigation/webui/component/UINavigationGrid.gtmpl =================================================================== --- portal/branches/xss/portlet/exoadmin/src/main/webapp/groovy/navigation/webui/component/UINavigationGrid.gtmpl 2011-09-07 08:43:20 UTC (rev 7324) +++ portal/branches/xss/portlet/exoadmin/src/main/webapp/groovy/navigation/webui/component/UINavigationGrid.gtmpl 2011-09-07 09:03:45 UTC (rev 7325) @@ -1,34 +1,43 @@ -<% - import java.util.List; - import org.exoplatform.webui.organization.OrganizationUtils; - import org.exoplatform.portal.mop.SiteKey; - - def parent = uicomponent.getParent(); - def navigations = uicomponent.getBeans(); +<% + import org.exoplatform.portal.mop.SiteKey; + import org.exoplatform.webui.organization.OrganizationUtils; + import org.gatein.common.text.EntityEncoder; + + import java.util.List; + + def parent = uicomponent.getParent(); + def navigations = uicomponent.getBeans(); %> <div id="$uicomponent.id" class="FeedBox"> - <% - boolean isEvenRow = true; - SiteKey siteKey; - for(navigation in navigations) { - siteKey = navigation.getKey(); - deleteLink = parent.event("DeleteNavigation",String.valueOf(siteKey.getName())); - editProperties = parent.event("EditProperties",String.valueOf(siteKey.getName())); - editLink = parent.event("EditNavigation",String.valueOf(siteKey.getName()));%> + <% + boolean isEvenRow = true; + SiteKey siteKey; + EntityEncoder encoder = EntityEncoder.FULL; + String descriptionLabel = _ctx.appRes("UIGroupNavigationManagement.Label.Description"); + String editNavigationLabel = _ctx.appRes("UIGroupNavigationManagement.Label.EditNavigation"); + String editPropertiesLabel = _ctx.appRes("UIGroupNavigationManagement.Label.EditProperties"); + String deleteNavigationLabel = _ctx.appRes("UIGroupNavigationManagement.Label.DeleteNavigation"); + for(navigation in navigations) { + siteKey = navigation.getKey(); + String groupDescription = encoder.encode(OrganizationUtils.getGroupDescription(siteKey.getName())); + String groupLabel = encoder.encode(OrganizationUtils.getGroupLabel(siteKey.getName())); + String deleteLink = parent.event("DeleteNavigation",String.valueOf(siteKey.getName())); + String editProperties = parent.event("EditProperties",String.valueOf(siteKey.getName())); + String editLink = parent.event("EditNavigation",String.valueOf(siteKey.getName()));%> <table class="ManagementBlock <%=isEvenRow ? "EvenRow":"OddRow"%>" style="table-layout: fixed"> - <tr> - <td class="Image"><img src="/exoadmin/skin/navigation/webui/component/background/GroupImage.png" alt="" /></td> - <td class="Content"> - <div class="Label" title="$siteKey.name"><%= OrganizationUtils.getGroupLabel(siteKey.getName()) %></div> - <div><%=_ctx.appRes("UIGroupNavigationManagement.Label.Description")%>: <%= OrganizationUtils.getGroupDescription(siteKey.getName()) %></div> - </td> - <td class="ActionBlock"> - <a href="<%=editLink%>" class="EditNavIcon"><%=_ctx.appRes("UIGroupNavigationManagement.Label.EditNavigation")%></a> - <a href="<%=editProperties%>" class="EditProIcon"><%=_ctx.appRes("UIGroupNavigationManagement.Label.EditProperties")%></a> - <a href="<%=deleteLink%>" class="DeleteIcon"><%=_ctx.appRes("UIGroupNavigationManagement.Label.DeleteNavigation")%></a> - </td> - </tr> + <tr> + <td class="Image"><img src="/exoadmin/skin/navigation/webui/component/background/GroupImage.png" alt="" /></td> + <td class="Content"> + <div class="Label" title="$siteKey.name">$groupLabel</div> + <div>$descriptionLabel: $groupDescription</div> + </td> + <td class="ActionBlock"> + <a href="<%=editLink%>" class="EditNavIcon">$editNavigationLabel</a> + <a href="<%=editProperties%>" class="EditProIcon">$editPropertiesLabel</a> + <a href="<%=deleteLink%>" class="DeleteIcon">$deleteNavigationLabel</a> + </td> + </tr> </table> - <% isEvenRow = !isEvenRow;} %> + <% isEvenRow = !isEvenRow;} %> </div>