Author: ndkhoiits Date: 2011-09-14 00:48:39 -0400 (Wed, 14 Sep 2011) New Revision: 7398 Added: portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/validator/EscapeHTMLValidator.java Modified: portal/branches/xss/ portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIApplicationForm.java portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategoryForm.java portal/branches/xss/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_en.properties portal/branches/xss/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_vi.properties portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/application/UIApplicationList.gtmpl portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/application/UIPortlet.gtmpl portal/branches/xss/webui/dashboard/src/main/resources/groovy/dashboard/webui/component/UIDashboardSelectContainer.gtmpl portal/branches/xss/webui/portal/src/main/java/org/exoplatform/portal/webui/application/UIPortletForm.java Log: GTNPORTAL-2065 XSS vulnerability at portlet description Property changes on: portal/branches/xss ___________________________________________________________________ Modified: svn:mergeinfo - /epp/portal/branches/EPP_5_1_Branch:6841 /portal/branches/branch-GTNPORTAL-1790:5864-5919 /portal/branches/branch-GTNPORTAL-1822:5938-5991 /portal/branches/branch-GTNPORTAL-1832:5993-6105 /portal/branches/branch-GTNPORTAL-1872:6327-6594 /portal/branches/branch-GTNPORTAL-1921:6597-6803 /portal/branches/branch-GTNPORTAL-1963:6902-6986 /portal/branches/decoupled-webos:6214-6243 /portal/branches/dom:7272-7349 /portal/branches/gatein-management:6920-6958 /portal/branches/global-portlet-metadata:6298-6384 /portal/branches/site-describability:6171-6235 /portal/branches/wsrp-extraction:5828-6031 /portal/branches/xss-issues:7350-7351 + /epp/portal/branches/EPP_5_1_Branch:6841 /portal/branches/branch-GTNPORTAL-1790:5864-5919 /portal/branches/branch-GTNPORTAL-1822:5938-5991 /portal/branches/branch-GTNPORTAL-1832:5993-6105 /portal/branches/branch-GTNPORTAL-1872:6327-6594 /portal/branches/branch-GTNPORTAL-1921:6597-6803 /portal/branches/branch-GTNPORTAL-1963:6902-6986 /portal/branches/decoupled-webos:6214-6243 /portal/branches/dom:7272-7349 /portal/branches/gatein-management:6920-6958 /portal/branches/global-portlet-metadata:6298-6384 /portal/branches/site-describability:6171-6235 /portal/branches/wsrp-extraction:5828-6031 /portal/branches/xss-issues:7350-7351,7358 Modified: portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIApplicationForm.java =================================================================== --- portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIApplicationForm.java 2011-09-14 03:03:32 UTC (rev 7397) +++ portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIApplicationForm.java 2011-09-14 04:48:39 UTC (rev 7398) @@ -22,24 +22,23 @@ import org.exoplatform.application.registry.Application; import org.exoplatform.application.registry.ApplicationCategory; import org.exoplatform.application.registry.ApplicationRegistryService; -import org.exoplatform.portal.application.PortalRequestContext; -import org.exoplatform.portal.webui.portal.UIPortal; +import org.exoplatform.commons.serialization.api.annotations.Serialized; import org.exoplatform.web.application.ApplicationMessage; import org.exoplatform.webui.application.WebuiRequestContext; -import org.exoplatform.commons.serialization.api.annotations.Serialized; import org.exoplatform.webui.config.annotation.ComponentConfig; import org.exoplatform.webui.config.annotation.EventConfig; import org.exoplatform.webui.core.UIApplication; import org.exoplatform.webui.core.lifecycle.UIFormLifecycle; import org.exoplatform.webui.event.Event; +import org.exoplatform.webui.event.Event.Phase; import org.exoplatform.webui.event.EventListener; -import org.exoplatform.webui.event.MonitorEvent; -import org.exoplatform.webui.event.Event.Phase; import org.exoplatform.webui.form.UIForm; import org.exoplatform.webui.form.UIFormStringInput; import org.exoplatform.webui.form.UIFormTextAreaInput; +import org.exoplatform.webui.form.validator.EscapeHTMLValidator; import org.exoplatform.webui.form.validator.MandatoryValidator; import org.exoplatform.webui.form.validator.NameValidator; +import org.exoplatform.webui.form.validator.SpecialCharacterValidator; import org.exoplatform.webui.form.validator.StringLengthValidator; import java.util.Calendar; @@ -56,7 +55,7 @@ @Serialized public class UIApplicationForm extends UIForm { - + private Application application_; public UIApplicationForm() throws Exception @@ -64,9 +63,10 @@ addUIFormInput(new UIFormStringInput("applicationName", "applicationName", null).addValidator( MandatoryValidator.class).addValidator(StringLengthValidator.class, 3, 30).addValidator(NameValidator.class)); addUIFormInput(new UIFormStringInput("displayName", "displayName", null).addValidator( - StringLengthValidator.class, 3, 30)); - addUIFormInput(new UIFormTextAreaInput("description", "description", null).addValidator( - StringLengthValidator.class, 0, 255)); + StringLengthValidator.class, 3, 30).addValidator(EscapeHTMLValidator.class)); + addUIFormInput(new UIFormTextAreaInput("description", "description", null) + .addValidator(StringLengthValidator.class, 0, 255) + .addValidator(EscapeHTMLValidator.class)); } public void setValues(Application app) throws Exception Modified: portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategoryForm.java =================================================================== --- portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategoryForm.java 2011-09-14 03:03:32 UTC (rev 7397) +++ portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategoryForm.java 2011-09-14 04:48:39 UTC (rev 7398) @@ -22,9 +22,9 @@ import org.exoplatform.application.registry.Application; import org.exoplatform.application.registry.ApplicationCategory; import org.exoplatform.application.registry.ApplicationRegistryService; +import org.exoplatform.commons.serialization.api.annotations.Serialized; import org.exoplatform.web.application.ApplicationMessage; import org.exoplatform.webui.application.WebuiRequestContext; -import org.exoplatform.commons.serialization.api.annotations.Serialized; import org.exoplatform.webui.config.annotation.ComponentConfig; import org.exoplatform.webui.config.annotation.EventConfig; import org.exoplatform.webui.core.UIApplication; @@ -36,6 +36,7 @@ import org.exoplatform.webui.form.UIFormStringInput; import org.exoplatform.webui.form.UIFormTabPane; import org.exoplatform.webui.form.UIFormTextAreaInput; +import org.exoplatform.webui.form.validator.EscapeHTMLValidator; import org.exoplatform.webui.form.validator.IdentifierValidator; import org.exoplatform.webui.form.validator.MandatoryValidator; import org.exoplatform.webui.form.validator.StringLengthValidator; @@ -74,7 +75,7 @@ MandatoryValidator.class).addValidator(StringLengthValidator.class, 3, 30).addValidator( IdentifierValidator.class)); uiCategorySetting.addUIFormInput(new UIFormStringInput(FIELD_DISPLAY_NAME, FIELD_DISPLAY_NAME, null) - .addValidator(StringLengthValidator.class, 3, 30)); + .addValidator(StringLengthValidator.class, 3, 30).addValidator(EscapeHTMLValidator.class)); uiCategorySetting.addUIFormInput(new UIFormTextAreaInput(FIELD_DESCRIPTION, FIELD_DESCRIPTION, null) .addValidator(StringLengthValidator.class, 0, 255)); addChild(uiCategorySetting); Modified: portal/branches/xss/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_en.properties =================================================================== --- portal/branches/xss/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_en.properties 2011-09-14 03:03:32 UTC (rev 7397) +++ portal/branches/xss/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_en.properties 2011-09-14 04:48:39 UTC (rev 7398) @@ -111,6 +111,12 @@ URLValidator.msg.invalid-url=The "{0}" field does not contain a valid URL. ############################################################################# + # Escape HTML character Validator # + ############################################################################# + +EscapeHTMLValidator.msg.value-invalid=The "{0}" field is invalid, it should not contain < or >. + + ############################################################################# # Label for UIFormMultiValueInputSet # ############################################################################# Modified: portal/branches/xss/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_vi.properties =================================================================== --- portal/branches/xss/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_vi.properties 2011-09-14 03:03:32 UTC (rev 7397) +++ portal/branches/xss/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_vi.properties 2011-09-14 04:48:39 UTC (rev 7398) @@ -85,6 +85,12 @@ URLValidator.msg.invalid-url=Giá trị trường "{0}" không hợp lệ! ############################################################################# + # Escape HTML character Validator # + ############################################################################# + +EscapeHTMLValidator.msg.value-invalid=Giá trị trường "{0}" không hợp lệ, không cho phép dấu < hoặc >. + + ############################################################################# # Label for UIFormMultiValueInputSet # ############################################################################# Modified: portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/application/UIApplicationList.gtmpl =================================================================== --- portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/application/UIApplicationList.gtmpl 2011-09-14 03:03:32 UTC (rev 7397) +++ portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/application/UIApplicationList.gtmpl 2011-09-14 04:48:39 UTC (rev 7398) @@ -3,6 +3,7 @@ def categories = uicomponent.getCategories(); def selectedCategory = uicomponent.getSelectedCategory(); +EntityEncoder encoder = EntityEncoder.FULL; %> <div class="UIOrganizerManagement" id="$uicomponent.id"> <div class="AppRegistryContainer"> @@ -15,15 +16,14 @@ <% String cTab, cName, description, displayName; boolean isSelected = false; - for(category in categories) { - cName = category.getName(); - EntityEncoder encoder = EntityEncoder.FULL; + for(category in categories) { + cName = category.getName(); displayName = encoder.encode(category.getDisplayName()); - if(displayName == null || displayName.length() < 1 ) displayName = cName; - if(selectedCategory != null && cName == selectedCategory.getName()) { + if (displayName == null || displayName.length() < 1 ) displayName = cName; + if (selectedCategory != null && cName == selectedCategory.getName()) { isSelected = true; cTab = "SelectedTab"; - }else { + } else { isSelected = false; cTab = "NormalTab"; } @@ -34,11 +34,12 @@ <%= displayName %> </a> </div> - <% if(isSelected) { %> + <% if (isSelected) { %> <div class="UIVTabContent" style="display: block"> <% - for(application in uicomponent.getApplications()) { - String applicationLabel = application.getDisplayName(); + for (application in uicomponent.getApplications()) { + String applicationName = encoder.encode(application.getDisplayName()); + String applicationDescription = encoder.encode(application.getDescription()); String srcBG = application.getIconURL(); String srcBGError = "/eXoResources/skin/sharedImages/Icon80x80/DefaultPortlet.png"; %> @@ -46,9 +47,9 @@ <div class="VTabContentBG"> <div class="OverflowContainer"> <img src="<%=(srcBG!=null && srcBG.length()>0)?srcBG:srcBGError%>" onError="src='$srcBGError'" alt=""/> - <div class="ContentInfo" title="<%= application.getDisplayName() %>" style="cursor:move;"> - <div class="LabelTab">$applicationLabel</div> - <div class="LableText"><%= application.getDescription() %></div> + <div class="ContentInfo" title="$applicationName" style="cursor:move;"> + <div class="LabelTab">$applicationName</div> + <div class="LableText">$applicationDescription</div> </div> <div class="ClearLeft"><span></span></div> </div> Modified: portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/application/UIPortlet.gtmpl =================================================================== --- portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/application/UIPortlet.gtmpl 2011-09-14 03:03:32 UTC (rev 7397) +++ portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/application/UIPortlet.gtmpl 2011-09-14 04:48:39 UTC (rev 7398) @@ -1,8 +1,9 @@ <% - import org.exoplatform.portal.webui.page.UIPage; + import org.exoplatform.portal.webui.workspace.UIPortalApplication; + import org.exoplatform.web.application.JavascriptManager; + import org.gatein.common.text.EntityEncoder; + import javax.portlet.WindowState; - import org.exoplatform.web.application.JavascriptManager; - import org.exoplatform.portal.webui.workspace.UIPortalApplication; def rcontext = _ctx.getRequestContext(); @@ -20,6 +21,9 @@ WindowState windowState = uicomponent.getCurrentWindowState(); String portletId = uicomponent.getId(); + EntityEncoder encoder = EntityEncoder.FULL; + + String title = encoder.encode(uicomponent.getDisplayTitle()); if(uiPortalApp.isEditing()) { %> <div class="UIPortlet <%=hasPermission?"":"ProtectedPortlet"%>" id="UIPortlet-$portletId" onmouseover="eXo.portal.UIPortal.blockOnMouseOver(event, this, true);" onmouseout="eXo.portal.UIPortal.blockOnMouseOver(event, this, false);" @@ -35,7 +39,7 @@ <div class="CPortletLayoutDecorator"> <% if(hasPermission) { - print uicomponent.getDisplayTitle(); + print title; } else print "<div class='ProtectedContent'>"+_ctx.appRes("UIPortlet.label.protectedContent")+"</div>"; %> </div> @@ -52,7 +56,6 @@ if(portalMode != uiPortalApp.CONTAINER_BLOCK_EDIT_MODE && portalMode != uiPortalApp.APP_BLOCK_EDIT_MODE) { if(uicomponent.getShowInfoBar()) { - String title = uicomponent.getDisplayTitle(); if(title == null || title.trim().length() < 1) title = portletId; /*Begin Window Portlet Bar*/ @@ -228,7 +231,6 @@ String portletIcon = uicomponent.getIcon(); if(portletIcon == null) portletIcon = "PortletIcon"; - String title = uicomponent.getDisplayTitle(); if(title.length() > 30) title = title.substring(0,27) + "..."; %> <div class="PortletIcon $portletIcon"><%=hasPermission ? title : _ctx.appRes("UIPortlet.label.protectedContent")%></div> Added: portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/validator/EscapeHTMLValidator.java =================================================================== --- portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/validator/EscapeHTMLValidator.java (rev 0) +++ portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/validator/EscapeHTMLValidator.java 2011-09-14 04:48:39 UTC (rev 7398) @@ -0,0 +1,72 @@ +/** + * Copyright (C) 2011 eXo Platform SAS. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ +package org.exoplatform.webui.form.validator; + +import org.exoplatform.web.application.ApplicationMessage; +import org.exoplatform.webui.core.UIComponent; +import org.exoplatform.webui.exception.MessageException; +import org.exoplatform.webui.form.UIForm; +import org.exoplatform.webui.form.UIFormInput; + +/** + * @author <a href="mailto:ndkhoi168@gmail.com">Nguyen Duc Khoi</a> + * Sep 14, 2011 + */ +public class EscapeHTMLValidator implements Validator +{ + private static final String REGEX = "[^\\<\\>]*"; + + private String key_; + + public EscapeHTMLValidator() + { + key_ = "EscapeHTMLValidator.msg.value-invalid"; + } + + public EscapeHTMLValidator(final String key) + { + if (key == null) + throw new IllegalArgumentException("Message key has to not null value"); + key_ = key; + } + + @Override + public void validate(UIFormInput uiInput) throws Exception + { + if ((uiInput.getValue() == null) || (uiInput.getValue().toString().trim().length() == 0)) + return; + String s = uiInput.getValue().toString().trim(); + if (s.matches(REGEX)) + return; + + UIForm uiForm = ((UIComponent)uiInput).getAncestorOfType(UIForm.class); + String label; + try + { + label = uiForm.getId() + ".label." + uiInput.getName(); + } + catch (Exception e) + { + label = uiInput.getName(); + } + Object[] args = {label}; + throw new MessageException(new ApplicationMessage(key_, args, ApplicationMessage.WARNING)); + } + +} Modified: portal/branches/xss/webui/dashboard/src/main/resources/groovy/dashboard/webui/component/UIDashboardSelectContainer.gtmpl =================================================================== --- portal/branches/xss/webui/dashboard/src/main/resources/groovy/dashboard/webui/component/UIDashboardSelectContainer.gtmpl 2011-09-14 03:03:32 UTC (rev 7397) +++ portal/branches/xss/webui/dashboard/src/main/resources/groovy/dashboard/webui/component/UIDashboardSelectContainer.gtmpl 2011-09-14 04:48:39 UTC (rev 7398) @@ -1,11 +1,14 @@ <% + import org.gatein.common.text.EntityEncoder; + def uiDashboard = uicomponent.getAncestorOfType(org.exoplatform.dashboard.webui.component.UIDashboard.class); if(!uiDashboard.canEdit()) return; def uiPopup = uicomponent.getAncestorOfType(org.exoplatform.webui.core.UIPopupWindow.class); def rcontext = _ctx.getRequestContext(); rcontext.getJavascriptManager().addJavascript("eXo.webui.UIDashboard.initPopup('"+uiPopup.getId()+"');"); - + + EntityEncoder encoder = EntityEncoder.FULL; %> <div class="$uicomponent.id" id="UIDashboardSelectContainer" style="display: <%= uiDashboard.isShowSelectPopup()? "block" : "none"; %>;"> <div class="DashboardItemContainer ItemContainer"> @@ -21,13 +24,15 @@ <% List categories = uicomponent.getCategories(); if(categories != null && categories.size() > 0){ for(category in categories){ + String categoryName = category.getDisplayName(); + categoryName = categoryName == null ? "" : encoder.encode(categoryName); %> <div class="GadgetCategory" id="${category.getName()}"> <div class="GadgetTab SelectedTab" onclick="eXo.webui.UIDashboard.onTabClick(this, 'NormalTab', 'SelectedTab')"> <div class="LeftCategoryTitleBar"> <div class="RightCategoryTitleBar"> <div class="MiddleCategoryTitleBar"> - <div class="ArrowIcon" title="${category.getDisplayName()}">${category.getDisplayName()}</div> + <div class="ArrowIcon" title="$categoryName">$categoryName</div> </div> </div> </div> @@ -40,12 +45,13 @@ // uiPopup.setWindowSize(-1, 600); for(gadget in lstGadgets){ + String gadgetName = gadget.getDisplayName(); + gadgetName = gadgetName == null ? "" : encoder.encode(gadgetName); %> <div class="UIGadget SelectItem Item" id="${gadget.getId()}" style="top:0px; left:0px;"> <div class="GadgetControl"> - <% def label = gadget.getDisplayName() %> - <div class="GadgetTitle" style="cursor:move;" title="$label"> - <%= (label.length() <= 23) ? label : label.substring(0, 20)+"..." %> + <div class="GadgetTitle" style="cursor:move;" title="$gadgetName"> + <%= (gadgetName.length() <= 23) ? gadgetName : gadgetName.substring(0, 20)+"..." %> </div> </div> </div> Modified: portal/branches/xss/webui/portal/src/main/java/org/exoplatform/portal/webui/application/UIPortletForm.java =================================================================== --- portal/branches/xss/webui/portal/src/main/java/org/exoplatform/portal/webui/application/UIPortletForm.java 2011-09-14 03:03:32 UTC (rev 7397) +++ portal/branches/xss/webui/portal/src/main/java/org/exoplatform/portal/webui/application/UIPortletForm.java 2011-09-14 04:48:39 UTC (rev 7398) @@ -46,6 +46,7 @@ import org.exoplatform.webui.event.Event.Phase; import org.exoplatform.webui.event.EventListener; import org.exoplatform.webui.form.*; +import org.exoplatform.webui.form.validator.EscapeHTMLValidator; import org.exoplatform.webui.form.validator.ExpressionValidator; import org.exoplatform.webui.form.validator.MandatoryValidator; import org.exoplatform.webui.form.validator.StringLengthValidator; @@ -97,7 +98,7 @@ addValidator(MandatoryValidator.class).setEditable(false)). addUIFormInput(new UIFormStringInput("windowId", "windowId", null).setEditable(false)).*/ addUIFormInput(new UIFormInputInfo("displayName", "displayName", null)).addUIFormInput( - new UIFormStringInput("title", "title", null).addValidator(StringLengthValidator.class, 3, 60).addValidator(ExpressionValidator.class, "[^\\<\\>]*", + new UIFormStringInput("title", "title", null).addValidator(StringLengthValidator.class, 3, 60).addValidator(EscapeHTMLValidator.class, "UIPortletForm.msg.InvalidPortletTitle")) .addUIFormInput( new UIFormStringInput("width", "width", null).addValidator(ExpressionValidator.class, "(^([1-9]\\d*)px$)?", @@ -107,8 +108,8 @@ new UIFormCheckBoxInput("showInfoBar", "showInfoBar", false)).addUIFormInput( new UIFormCheckBoxInput("showPortletMode", "showPortletMode", false)).addUIFormInput( new UIFormCheckBoxInput("showWindowState", "showWindowState", false)).addUIFormInput( - new UIFormTextAreaInput("description", "description", null).addValidator(StringLengthValidator.class, 0, - 255).addValidator(ExpressionValidator.class, "[^\\<\\>]*", "UIPortletForm.msg.InvalidPortletDescription")); + new UIFormTextAreaInput("description", "description", null).addValidator(StringLengthValidator.class, + 0, 255).addValidator(EscapeHTMLValidator.class, "UIPortletForm.msg.InvalidPortletDescription")); addUIFormInput(uiSettingSet); UIFormInputIconSelector uiIconSelector = new UIFormInputIconSelector("Icon", "icon"); addUIFormInput(uiIconSelector);