Author: ndkhoiits Date: 2011-09-13 07:19:54 -0400 (Tue, 13 Sep 2011) New Revision: 7379 Modified: portal/branches/xss/ portal/branches/xss/portlet/exoadmin/src/main/webapp/groovy/navigation/webui/component/UINavigationGrid.gtmpl Log: GTNPORTAL-2061 XSS in Group description content GTNPORTAL-2066 XSS vulnerabilities when creating new group Property changes on: portal/branches/xss ___________________________________________________________________ Modified: svn:mergeinfo - /epp/portal/branches/EPP_5_1_Branch:6841 /portal/branches/branch-GTNPORTAL-1790:5864-5919 /portal/branches/branch-GTNPORTAL-1822:5938-5991 /portal/branches/branch-GTNPORTAL-1832:5993-6105 /portal/branches/branch-GTNPORTAL-1872:6327-6594 /portal/branches/branch-GTNPORTAL-1921:6597-6803 /portal/branches/branch-GTNPORTAL-1963:6902-6986 /portal/branches/decoupled-webos:6214-6243 /portal/branches/dom:7272-7349 /portal/branches/gatein-management:6920-6958 /portal/branches/global-portlet-metadata:6298-6384 /portal/branches/site-describability:6171-6235 /portal/branches/wsrp-extraction:5828-6031 + /epp/portal/branches/EPP_5_1_Branch:6841 /portal/branches/branch-GTNPORTAL-1790:5864-5919 /portal/branches/branch-GTNPORTAL-1822:5938-5991 /portal/branches/branch-GTNPORTAL-1832:5993-6105 /portal/branches/branch-GTNPORTAL-1872:6327-6594 /portal/branches/branch-GTNPORTAL-1921:6597-6803 /portal/branches/branch-GTNPORTAL-1963:6902-6986 /portal/branches/decoupled-webos:6214-6243 /portal/branches/dom:7272-7349 /portal/branches/gatein-management:6920-6958 /portal/branches/global-portlet-metadata:6298-6384 /portal/branches/site-describability:6171-6235 /portal/branches/wsrp-extraction:5828-6031 /portal/branches/xss-issues:7350 Modified: portal/branches/xss/portlet/exoadmin/src/main/webapp/groovy/navigation/webui/component/UINavigationGrid.gtmpl =================================================================== --- portal/branches/xss/portlet/exoadmin/src/main/webapp/groovy/navigation/webui/component/UINavigationGrid.gtmpl 2011-09-13 11:13:36 UTC (rev 7378) +++ portal/branches/xss/portlet/exoadmin/src/main/webapp/groovy/navigation/webui/component/UINavigationGrid.gtmpl 2011-09-13 11:19:54 UTC (rev 7379) @@ -1,34 +1,51 @@ -<% - import java.util.List; - import org.exoplatform.webui.organization.OrganizationUtils; - import org.exoplatform.portal.mop.SiteKey; - - def parent = uicomponent.getParent(); - def navigations = uicomponent.getBeans(); +<% + import org.exoplatform.portal.mop.SiteKey; + import org.exoplatform.webui.organization.OrganizationUtils; + import org.gatein.common.text.EntityEncoder; + + import java.util.List; + + def parent = uicomponent.getParent(); + def navigations = uicomponent.getBeans(); %> <div id="$uicomponent.id" class="FeedBox"> - <% - boolean isEvenRow = true; - SiteKey siteKey; - for(navigation in navigations) { - siteKey = navigation.getKey(); - deleteLink = parent.event("DeleteNavigation",String.valueOf(siteKey.getName())); - editProperties = parent.event("EditProperties",String.valueOf(siteKey.getName())); - editLink = parent.event("EditNavigation",String.valueOf(siteKey.getName()));%> + <% + boolean isEvenRow = true; + SiteKey siteKey; + EntityEncoder encoder = EntityEncoder.FULL; + String descriptionLabel = _ctx.appRes("UIGroupNavigationManagement.Label.Description"); + String editNavigationLabel = _ctx.appRes("UIGroupNavigationManagement.Label.EditNavigation"); + String editPropertiesLabel = _ctx.appRes("UIGroupNavigationManagement.Label.EditProperties"); + String deleteNavigationLabel = _ctx.appRes("UIGroupNavigationManagement.Label.DeleteNavigation"); + for(navigation in navigations) { + siteKey = navigation.getKey(); + String groupDescription = OrganizationUtils.getGroupDescription(siteKey.getName()); + if (groupDescription) { + groupDescription = encoder.encode(groupDescription); + } + + String groupLabel = OrganizationUtils.getGroupLabel(siteKey.getName()) + if (groupLabel) { + groupLabel = encoder.encode(groupLabel); + } + + String deleteLink = parent.event("DeleteNavigation",String.valueOf(siteKey.getName())); + String editProperties = parent.event("EditProperties",String.valueOf(siteKey.getName())); + String editLink = parent.event("EditNavigation",String.valueOf(siteKey.getName()));%> <table class="ManagementBlock <%=isEvenRow ? "EvenRow":"OddRow"%>" style="table-layout: fixed"> - <tr> - <td class="Image"><img src="/exoadmin/skin/navigation/webui/component/background/GroupImage.png" alt="" /></td> - <td class="Content"> - <div class="Label" title="$siteKey.name"><%= OrganizationUtils.getGroupLabel(siteKey.getName()) %></div> - <div><%=_ctx.appRes("UIGroupNavigationManagement.Label.Description")%>: <%= OrganizationUtils.getGroupDescription(siteKey.getName()) %></div> - </td> - <td class="ActionBlock"> - <a href="<%=editLink%>" class="EditNavIcon"><%=_ctx.appRes("UIGroupNavigationManagement.Label.EditNavigation")%></a> - <a href="<%=editProperties%>" class="EditProIcon"><%=_ctx.appRes("UIGroupNavigationManagement.Label.EditProperties")%></a> - <a href="<%=deleteLink%>" class="DeleteIcon"><%=_ctx.appRes("UIGroupNavigationManagement.Label.DeleteNavigation")%></a> - </td> - </tr> + <tr> + <td class="Image"><img src="/exoadmin/skin/navigation/webui/component/background/GroupImage.png" alt="" /></td> + <td class="Content"> + <div class="Label" title="$siteKey.name">$groupLabel</div> + <div>$descriptionLabel: $groupDescription</div> + </td> + <td class="ActionBlock"> + <a href="<%=editLink%>" class="EditNavIcon">$editNavigationLabel</a> + <a href="<%=editProperties%>" class="EditProIcon">$editPropertiesLabel</a> + <a href="<%=deleteLink%>" class="DeleteIcon">$deleteNavigationLabel</a> + </td> + </tr> </table> - <% isEvenRow = !isEvenRow;} %> + <% isEvenRow = !isEvenRow;} %> </div>