Author: thomas.heute(a)jboss.com
Date: 2010-03-29 07:56:28 -0400 (Mon, 29 Mar 2010)
New Revision: 2382
Modified:
portal/trunk/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_en.properties
portal/trunk/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_fr.properties
portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/application/UIPortletForm.java
Log:
GTNPORTAL-731: XSS in portlet settings
Don't accept < and > in portlet title and description
Modified:
portal/trunk/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_en.properties
===================================================================
---
portal/trunk/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_en.properties 2010-03-29
10:43:10 UTC (rev 2381)
+++
portal/trunk/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_en.properties 2010-03-29
11:56:28 UTC (rev 2382)
@@ -315,6 +315,8 @@
UIPortletForm.Theme.title.SetDefault=Get Default
UIPortletForm.Icon.title.SetDefault=Get Default
UIPortletForm.msg.InvalidWidthHeight=You must enter a pixel value in field
"{0}".
+UIPortletForm.msg.InvalidPortletTitle=Portlet title is invalid, it should not contain
< or >.
+UIPortletForm.msg.InvalidPortletDescription=Portlet description is invalid, it should not
contain < or >.
#############################################################################
# org.exoplatform.portal.component.customization.UIDescription #
Modified:
portal/trunk/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_fr.properties
===================================================================
---
portal/trunk/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_fr.properties 2010-03-29
10:43:10 UTC (rev 2381)
+++
portal/trunk/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_fr.properties 2010-03-29
11:56:28 UTC (rev 2382)
@@ -299,6 +299,8 @@
UIPortletForm.Theme.title.SetDefault=Utiliser la valeur par défaut
UIPortletForm.Icon.title.SetDefault=Utiliser la valeur par défaut
UIPortletForm.msg.InvalidWidthHeight=Le champ "{0}" doit être une valeur en
pixel!
+UIPortletForm.msg.InvalidPortletTitle=Le title de la portlet est invalide, il ne doit pas
contenir < ni >.
+UIPortletForm.msg.InvalidPortletDescription=La description de la portlet est invalide,
elle ne doit pas contenir < ni >.
#############################################################################
# org.exoplatform.portal.component.customization.UIDescription #
Modified:
portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/application/UIPortletForm.java
===================================================================
---
portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/application/UIPortletForm.java 2010-03-29
10:43:10 UTC (rev 2381)
+++
portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/application/UIPortletForm.java 2010-03-29
11:56:28 UTC (rev 2382)
@@ -113,7 +113,8 @@
addValidator(MandatoryValidator.class).setEditable(false)).
addUIFormInput(new UIFormStringInput("windowId", "windowId",
null).setEditable(false)).*/
addUIFormInput(new UIFormInputInfo("displayName",
"displayName", null)).addUIFormInput(
- new UIFormStringInput("title", "title",
null).addValidator(StringLengthValidator.class, 3, 60))
+ new UIFormStringInput("title", "title",
null).addValidator(StringLengthValidator.class, 3,
60).addValidator(ExpressionValidator.class, "[^\\<\\>]*",
+ "UIPortletForm.msg.InvalidPortletTitle"))
.addUIFormInput(
new UIFormStringInput("width", "width",
null).addValidator(ExpressionValidator.class, "(^([1-9]\\d*)px$)?",
"UIPortletForm.msg.InvalidWidthHeight")).addUIFormInput(
@@ -123,7 +124,7 @@
new UIFormCheckBoxInput("showPortletMode",
"showPortletMode", false)).addUIFormInput(
new UIFormCheckBoxInput("showWindowState",
"showWindowState", false)).addUIFormInput(
new UIFormTextAreaInput("description", "description",
null).addValidator(StringLengthValidator.class, 0,
- 255));
+ 255).addValidator(ExpressionValidator.class, "[^\\<\\>]*",
"UIPortletForm.msg.InvalidPortletDescription"));
addUIFormInput(uiSettingSet);
UIFormInputIconSelector uiIconSelector = new
UIFormInputIconSelector("Icon", "icon");
addUIFormInput(uiIconSelector);
Show replies by date