[gatein-commits] gatein SVN: r5118 - in exo/portal/branches/3.1.x/portlet/exoadmin/src/main: webapp/groovy/applicationregistry/webui/component and 1 other directory.

Tuesday, 16 November 2010


Author: kien_nguyen
Date: 2010-11-16 22:06:57 -0500 (Tue, 16 Nov 2010)
New Revision: 5118

Modified:
  
exo/portal/branches/3.1.x/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategorySelector.java
  
exo/portal/branches/3.1.x/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIGadgetInfo.gtmpl
  
exo/portal/branches/3.1.x/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIPortletInfo.gtmpl
Log:
EXOGTN-147 [PLF] XSS issues in the application registry related to category display names

Modified:
exo/portal/branches/3.1.x/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategorySelector.java
===================================================================
---
exo/portal/branches/3.1.x/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategorySelector.java	2010-11-17
03:03:47 UTC (rev 5117)
+++
exo/portal/branches/3.1.x/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategorySelector.java	2010-11-17
03:06:57 UTC (rev 5118)
@@ -18,6 +18,8 @@
 import org.exoplatform.webui.form.UIFormInputSet;
 import org.exoplatform.webui.form.UIFormPageIterator;
 
+import org.gatein.common.text.EntityEncoder;
+
 import java.util.ArrayList;
 import java.util.List;
 
@@ -76,6 +78,8 @@
       UIFormCheckBoxInput<Boolean> checkBoxInput;
       UIFormInputInfo uiInfo;
 
+      EntityEncoder encoder = EntityEncoder.FULL;
+
       //
       ApplicationRegistryService appRegService =
getApplicationComponent(ApplicationRegistryService.class);
       List<ApplicationCategory> categories = getAllCategories();
@@ -90,7 +94,7 @@
             defaultValue = appRegService.getApplication(category.getName(),
definitionName) != null;
          }
          checkBoxInput = new UIFormCheckBoxInput<Boolean>("category_" +
category.getName(), null, defaultValue);
-         uiInfo = new UIFormInputInfo("categoryName", null,
category.getDisplayName());
+         uiInfo = new UIFormInputInfo("categoryName", null,
encoder.encode(category.getDisplayName()));
          uiInputSet.addChild(checkBoxInput);
          uiInputSet.addChild(uiInfo);
          uiTableInputSet.addChild(uiInputSet);

Modified:
exo/portal/branches/3.1.x/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIGadgetInfo.gtmpl
===================================================================
---
exo/portal/branches/3.1.x/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIGadgetInfo.gtmpl	2010-11-17
03:03:47 UTC (rev 5117)
+++
exo/portal/branches/3.1.x/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIGadgetInfo.gtmpl	2010-11-17
03:06:57 UTC (rev 5118)
@@ -1,6 +1,8 @@
 <%
 	import org.exoplatform.applicationregistry.webui.component.UICategorySelector;
-	
+	import org.gatein.common.text.EntityEncoder;
+
+        EntityEncoder encoder = EntityEncoder.FULL;
 	def gadget = uicomponent.getGadget();
 	boolean selectorRender = uicomponent.getChild(UICategorySelector.class).isRendered();
 	String srcBGError =
"/eXoResources/skin/sharedImages/Icon80x80/DefaultPortlet.png";
@@ -59,7 +61,7 @@
 				<table>
 					<tr>
 						<td
class="LeftLabel"><%=_ctx.appRes("UIGadgetInfo.label.categories")%></td>
-						<td class="RightLabel">$categoryNames
+						<td class="RightLabel"><%= encoder.encode(categoryNames) %>
 								<% if (categoryNames.equals("")) { %>

										<%=_ctx.appRes("UIGadgetInfo.label.categories.guide")%><br/>
 										<% if (!selectorRender) { %>

Modified:
exo/portal/branches/3.1.x/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIPortletInfo.gtmpl
===================================================================
---
exo/portal/branches/3.1.x/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIPortletInfo.gtmpl	2010-11-17
03:03:47 UTC (rev 5117)
+++
exo/portal/branches/3.1.x/portlet/exoadmin/src/main/webapp/groovy/applicationregistry/webui/component/UIPortletInfo.gtmpl	2010-11-17
03:06:57 UTC (rev 5118)
@@ -2,9 +2,11 @@
 	import java.util.Iterator;
 	import java.util.Map.Entry;
 	import org.exoplatform.applicationregistry.webui.component.UICategorySelector;
+        import org.gatein.common.text.EntityEncoder;
     
-  boolean selectorRender = uicomponent.getChild(UICategorySelector.class).isRendered();
-  String categoryNames = uicomponent.getCategorieNames();
+	boolean selectorRender = uicomponent.getChild(UICategorySelector.class).isRendered();
+	String categoryNames = uicomponent.getCategorieNames();
+    EntityEncoder encoder = EntityEncoder.FULL;
 	def portlet = uicomponent.getPortlet();
 	def portletPreferences = portlet.getPortletPreferences();
 	String srcBG = "/" + portlet.getPortletGroup() +
"/skin/DefaultSkin/portletIcons/" + portlet.getName() + ".png";
@@ -64,7 +66,7 @@
 					</tr>
 					<tr>
 					  <td class="LeftLabel"><%=
_ctx.appRes("UIPortletInfo.label.categories") %></td>
-					  <td class="RightLabel">$categoryNames
+					  <td class="RightLabel"><%= encoder.encode(categoryNames) %>
 					    <% if (categoryNames.equals("")) { %>
                
<%=_ctx.appRes("UIPortletInfo.label.categories.guide")%><br/>
                 <% if (!selectorRender) { %>


    

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

[gatein-commits] gatein SVN: r5118 - in exo/portal/branches/3.1.x/portlet/exoadmin/src/main: webapp/groovy/applicationregistry/webui/component and 1 other directory.