Author: ndkhoiits
Date: 2011-09-12 06:38:27 -0400 (Mon, 12 Sep 2011)
New Revision: 7351
Modified:
portal/branches/xss-issues/portlet/exoadmin/src/main/webapp/groovy/navigation/webui/component/UISiteManagement.gtmpl
portal/branches/xss-issues/webui/portal/src/main/java/org/exoplatform/portal/webui/portal/UIPortalForm.java
Log:
GTNPORTAL-2062 XSS issue when entering site description
Modified:
portal/branches/xss-issues/portlet/exoadmin/src/main/webapp/groovy/navigation/webui/component/UISiteManagement.gtmpl
===================================================================
---
portal/branches/xss-issues/portlet/exoadmin/src/main/webapp/groovy/navigation/webui/component/UISiteManagement.gtmpl 2011-09-12
10:26:25 UTC (rev 7350)
+++
portal/branches/xss-issues/portlet/exoadmin/src/main/webapp/groovy/navigation/webui/component/UISiteManagement.gtmpl 2011-09-12
10:38:27 UTC (rev 7351)
@@ -1,76 +1,81 @@
<%
+ import org.exoplatform.portal.config.UserPortalConfigService;
import org.exoplatform.webui.core.UIComponent ;
import org.exoplatform.webui.form.UIForm;
- import java.text.DateFormat;
- import java.text.SimpleDateFormat;
- import org.exoplatform.portal.config.UserPortalConfigService;
-
+
+ import org.gatein.common.text.EntityEncoder;
+
String[] actions = uicomponent.getActions();
uicomponent.loadPortalConfigs();
def rcontext = _ctx.getRequestContext();
def userPortalConfigService =
uicomponent.getApplicationComponent(UserPortalConfigService.class);
def defaultPortalName = userPortalConfigService.getDefaultPortal();
+ EntityEncoder encoder = EntityEncoder.FULL;
+
+ String editLayoutLabel = _ctx.appRes("UISiteManagement.label.editLayout");
+ String editNavigationLabel = _ctx.appRes("UISiteManagement.label.editNav");
+ String editPortalPropLabel =
_ctx.appRes("UISiteManagement.label.editPortalProp");
+ String deletePortalLabel =
_ctx.appRes("UISiteManagement.label.deletePortal");
%>
<div class="UISiteManagement UIManagement"
id="<%=uicomponent.getId();%>">
- <%
- for (portalConfig in uicomponent.getPortalConfigs()) {
- %>
- <table class="ManagementBlock" style="table-layout:
fixed">
- <tr>
- <td class="Image"><img
src="/exoadmin/skin/navigation/webui/component/background/PlImg.gif"
alt=""/></td>
- <td class="Content">
+ <%
+ for (portalConfig in uicomponent.getPortalConfigs()) {
+ %>
+ <table class="ManagementBlock" style="table-layout:
fixed">
+ <tr>
+ <td class="Image"><img
src="/exoadmin/skin/navigation/webui/component/background/PlImg.gif"
alt=""/></td>
+ <td class="Content">
<div
class="Label"><%=uicomponent.getFieldValue(portalConfig, 'name')
%></div>
<%
- def siteLabel = uicomponent.getFieldValue(portalConfig,
'label');
- def siteDescription = uicomponent.getFieldValue(portalConfig,
'description');
- if (siteLabel != null && siteLabel.trim().length()
> 0)
- {
+ String siteLabel = uicomponent.getFieldValue(portalConfig,
'label');
+ if (siteLabel != null && siteLabel.trim().length()
> 0) {
+ siteLabel = encoder.encode(siteLabel);
print
"""<div>$siteLabel</div>""";
}
- if (siteDescription != null &&
siteDescription.trim().length() > 0)
- {
+
+ String siteDescription =
uicomponent.getFieldValue(portalConfig, 'description');
+ if (siteDescription != null &&
siteDescription.trim().length() > 0) {
+ siteDescription = encoder.encode(siteDescription);
print
"""<div>$siteDescription</div>""";
}
%>
- </td>
- <td class="ActionBlock">
- <a href="<%=uicomponent.event("EditPortalLayout",
portalConfig.getName());%>"
class="EditLayoutIcon"><%=_ctx.appRes("UISiteManagement.label.editLayout")%></a>
- <a href="<%=uicomponent.event("EditNavigation",
portalConfig.getName());%>"
class="EditNavIcon"><%=_ctx.appRes("UISiteManagement.label.editNav")%></a>
- <a
href="javascript:ajaxGet(eXo.env.server.createPortalURL('UIPortal',
'EditPortalProperties', true,
[{name:'portalName',value:'<%=portalConfig.getName()%>'}]))"
class="EditNavIcon"><%=_ctx.appRes("UISiteManagement.label.editPortalProp")%></a>
-
- <% if(defaultPortalName != null &&
!defaultPortalName.equals(portalConfig.getName())) {%>
- <a href="<%=uicomponent.url("DeletePortal",
portalConfig.getName());%>"
class="DeleteIcon"><%=_ctx.appRes("UISiteManagement.label.deletePortal")%></a>
- <% } %>
- </td>
- </tr>
- </table>
- <%
- }
- %>
- <%
- if(uicomponent.getPortalConfigs() != null &&
uicomponent.getPortalConfigs().size() > 0){
- %>
- <div class="UIAction">
+ </td>
+ <td class="ActionBlock">
+ <a
href="<%=uicomponent.event("EditPortalLayout",
portalConfig.getName());%>"
class="EditLayoutIcon">$editLayoutLabel</a>
+ <a
href="<%=uicomponent.event("EditNavigation",
portalConfig.getName());%>"
class="EditNavIcon">$editNavigationLabel</a>
+ <a
href="javascript:ajaxGet(eXo.env.server.createPortalURL('UIPortal',
'EditPortalProperties', true,
[{name:'portalName',value:'<%=portalConfig.getName()%>'}]))"
class="EditNavIcon">$editPortalPropLabel</a>
+
+ <% if(defaultPortalName != null &&
!defaultPortalName.equals(portalConfig.getName())) {%>
+ <a
href="<%=uicomponent.url("DeletePortal",
portalConfig.getName());%>"
class="DeleteIcon">$deletePortalLabel</a>
+ <% } %>
+ </td>
+ </tr>
+ </table>
+ <%
+ }
+ %>
+ <%
+ if(uicomponent.getPortalConfigs() != null &&
uicomponent.getPortalConfigs().size() > 0){
+ %>
+ <div class="UIAction">
<table class="ActionContainer">
- <tr>
- <td>
- <div
onclick="ajaxGet(eXo.env.server.createPortalURL('UIWorkingWorkspace',
'CreatePortal', true))" class="ActionButton BlueButton">
- <div class="ButtonLeft">
- <div class="ButtonRight">
- <div class="ButtonMiddle">
- <a
href="javascript:void(0);"><%=_ctx.appRes(uicomponent.getId() +
".action.addNewPortal")%></a>
- </div>
- </div>
- </div>
- </div>
- </td>
+ <tr>
+ <td>
+ <div
onclick="ajaxGet(eXo.env.server.createPortalURL('UIWorkingWorkspace',
'CreatePortal', true))" class="ActionButton BlueButton">
+ <div class="ButtonLeft">
+ <div class="ButtonRight">
+ <div class="ButtonMiddle">
+ <a
href="javascript:void(0);"><%=_ctx.appRes(uicomponent.getId() +
".action.addNewPortal")%></a>
+ </div>
+ </div>
+ </div>
+ </div>
+ </td>
</tr>
- </table>
- </div>
- <%
- }
- %>
- <%uicomponent.renderChildren();%>
-</div>
-
-
+ </table>
+ </div>
+ <%
+ }
+ %>
+ <%uicomponent.renderChildren();%>
+</div>
\ No newline at end of file
Modified:
portal/branches/xss-issues/webui/portal/src/main/java/org/exoplatform/portal/webui/portal/UIPortalForm.java
===================================================================
---
portal/branches/xss-issues/webui/portal/src/main/java/org/exoplatform/portal/webui/portal/UIPortalForm.java 2011-09-12
10:26:25 UTC (rev 7350)
+++
portal/branches/xss-issues/webui/portal/src/main/java/org/exoplatform/portal/webui/portal/UIPortalForm.java 2011-09-12
10:38:27 UTC (rev 7351)
@@ -63,6 +63,7 @@
import org.exoplatform.webui.form.UIFormTabPane;
import org.exoplatform.webui.form.validator.IdentifierValidator;
import org.exoplatform.webui.form.validator.MandatoryValidator;
+import org.exoplatform.webui.form.validator.SpecialCharacterValidator;
import org.exoplatform.webui.form.validator.StringLengthValidator;
import org.exoplatform.webui.organization.UIListPermissionSelector;
import
org.exoplatform.webui.organization.UIListPermissionSelector.EmptyIteratorValidator;
@@ -242,7 +243,7 @@
new UIFormStringInput(FIELD_NAME, FIELD_NAME,
null).addValidator(MandatoryValidator.class).addValidator(
StringLengthValidator.class, 3,
30).addValidator(IdentifierValidator.class).setEditable(false));
- uiSettingSet.addUIFormInput(new UIFormStringInput(FIELD_LABEL, FIELD_LABEL,
null));
+ uiSettingSet.addUIFormInput(new UIFormStringInput(FIELD_LABEL, FIELD_LABEL,
null).addValidator(SpecialCharacterValidator.class));
uiSettingSet.addUIFormInput(new UIFormStringInput(FIELD_DESCRIPTION,
FIELD_DESCRIPTION, null));
uiSettingSet.addUIFormInput(new UIFormSelectBox(FIELD_LOCALE, FIELD_LOCALE,
languages).addValidator(MandatoryValidator.class));
Show replies by date