Author: ndkhoiits Date: 2011-09-14 03:00:17 -0400 (Wed, 14 Sep 2011) New Revision: 7400 Modified: portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIApplicationForm.java portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIGadgetEditor.java portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormInputBase.java portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormStringInput.java portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormTextAreaInput.java Log: GTNPORTAL-2073 XSS encoding in UIFormTextAreaInput.java Modified: portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIApplicationForm.java =================================================================== --- portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIApplicationForm.java 2011-09-14 06:10:00 UTC (rev 7399) +++ portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIApplicationForm.java 2011-09-14 07:00:17 UTC (rev 7400) @@ -38,7 +38,6 @@ import org.exoplatform.webui.form.validator.EscapeHTMLValidator; import org.exoplatform.webui.form.validator.MandatoryValidator; import org.exoplatform.webui.form.validator.NameValidator; -import org.exoplatform.webui.form.validator.SpecialCharacterValidator; import org.exoplatform.webui.form.validator.StringLengthValidator; import java.util.Calendar; Modified: portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIGadgetEditor.java =================================================================== --- portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIGadgetEditor.java 2011-09-14 06:10:00 UTC (rev 7399) +++ portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIGadgetEditor.java 2011-09-14 07:00:17 UTC (rev 7400) @@ -19,15 +19,14 @@ package org.exoplatform.applicationregistry.webui.component; -import org.apache.commons.lang.StringEscapeUtils; import org.apache.shindig.common.uri.Uri; import org.apache.shindig.gadgets.spec.GadgetSpec; import org.exoplatform.application.gadget.Gadget; import org.exoplatform.application.gadget.GadgetRegistryService; import org.exoplatform.application.gadget.Source; import org.exoplatform.application.gadget.SourceStorage; -import org.exoplatform.portal.webui.application.GadgetUtil; import org.exoplatform.commons.serialization.api.annotations.Serialized; +import org.exoplatform.portal.webui.application.GadgetUtil; import org.exoplatform.web.application.ApplicationMessage; import org.exoplatform.webui.application.WebuiRequestContext; import org.exoplatform.webui.config.InitParams; @@ -50,6 +49,7 @@ import org.exoplatform.webui.form.validator.ResourceValidator; import org.exoplatform.webui.form.validator.StringLengthValidator; import org.exoplatform.webui.form.validator.Validator; + import java.io.Serializable; import java.util.Calendar; @@ -120,8 +120,7 @@ { UIFormTextAreaInput uiInputSource = getUIFormTextAreaInput(FIELD_SOURCE); UIFormStringInput uiInputName = getUIStringInput(FIELD_NAME); - String encoded = StringEscapeUtils.escapeHtml(StringEscapeUtils.unescapeHtml(uiInputSource.getValue())); - uiInputSource.setValue(encoded); + uiInputSource.setValue(uiInputSource.getValue()); if(this.isEdit()) { uiInputName.setEditable(false); } @@ -135,12 +134,6 @@ return (idx > 0) ? fullName.substring(0, idx) : fullName; } - private String appendTail(String name) - { - int idx = name.indexOf('.'); - return (idx > 0) ? name : name + ".xml"; - } - public void setDirPath(String dirPath) { this.dirPath = dirPath; Modified: portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormInputBase.java =================================================================== --- portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormInputBase.java 2011-09-14 06:10:00 UTC (rev 7399) +++ portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormInputBase.java 2011-09-14 07:00:17 UTC (rev 7400) @@ -19,8 +19,8 @@ package org.exoplatform.webui.form; +import org.exoplatform.commons.serialization.api.annotations.Serialized; import org.exoplatform.webui.application.WebuiRequestContext; -import org.exoplatform.commons.serialization.api.annotations.Serialized; import org.exoplatform.webui.core.UIComponent; import org.exoplatform.webui.core.UIContainer; import org.exoplatform.webui.event.Event; @@ -90,6 +90,11 @@ * Whether this field is in read only mode */ protected boolean readonly_ = false; + + /** + * Encode the value before rendering or not. The value will be encoded by default. + */ + protected boolean escapeHTML_ = true; public UIFormInputBase(String name, String bindingField, Class<T> typeValue) { @@ -238,4 +243,14 @@ this.label = label; } + public boolean isEscapeHTML() + { + return escapeHTML_; + } + + public void setEscapeHTML(boolean escapeHTML_) + { + this.escapeHTML_ = escapeHTML_; + } + } \ No newline at end of file Modified: portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormStringInput.java =================================================================== --- portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormStringInput.java 2011-09-14 06:10:00 UTC (rev 7399) +++ portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormStringInput.java 2011-09-14 07:00:17 UTC (rev 7400) @@ -21,6 +21,7 @@ import org.exoplatform.webui.application.WebuiRequestContext; import org.exoplatform.commons.serialization.api.annotations.Serialized; +import org.gatein.common.text.EntityEncoder; import java.io.Writer; @@ -88,7 +89,6 @@ return maxLength; } - @SuppressWarnings("unused") public void decode(Object input, WebuiRequestContext context) throws Exception { String val = (String)input; @@ -101,6 +101,7 @@ public void processRender(WebuiRequestContext context) throws Exception { + String value = getValue(); Writer w = context.getWriter(); w.write("<input name='"); w.write(getName()); @@ -112,10 +113,14 @@ w.write(" id='"); w.write(getId()); w.write('\''); - if (value_ != null && value_.length() > 0) + if (value != null && value.length() > 0) { + if (escapeHTML_) + { + value = EntityEncoder.FULL.encode(value); + } w.write(" value='"); - w.write(encodeValue(value_).toString()); + w.write(value); w.write('\''); } if (maxLength > 0) @@ -128,34 +133,4 @@ if (this.isMandatory()) w.write(" *"); } - - private StringBuilder encodeValue(String value) - { - char[] chars = {'\'', '"'}; - String[] refs = {"&#39;", "&#34;"}; - StringBuilder builder = new StringBuilder(value); - int idx; - for (int i = 0; i < chars.length; i++) - { - idx = indexOf(builder, chars[i], 0); - while (idx > -1) - { - builder = builder.replace(idx, idx + 1, refs[i]); - idx = indexOf(builder, chars[i], idx); - } - } - return builder; - } - - private int indexOf(StringBuilder builder, char c, int from) - { - int i = from; - while (i < builder.length()) - { - if (builder.charAt(i) == c) - return i; - i++; - } - return -1; - } } \ No newline at end of file Modified: portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormTextAreaInput.java =================================================================== --- portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormTextAreaInput.java 2011-09-14 06:10:00 UTC (rev 7399) +++ portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormTextAreaInput.java 2011-09-14 07:00:17 UTC (rev 7400) @@ -21,6 +21,7 @@ import org.exoplatform.webui.application.WebuiRequestContext; import org.exoplatform.commons.serialization.api.annotations.Serialized; +import org.gatein.common.text.EntityEncoder; import java.io.Writer; @@ -50,7 +51,6 @@ this.value_ = value ; } - @SuppressWarnings("unused") public void decode(Object input, WebuiRequestContext context) throws Exception { String val = (String) input ; value_ = val ; @@ -72,9 +72,13 @@ w.append(" cols=\"").append(String.valueOf(columns)).append("\""); w.write(">"); if (value != null) - //TODO: remove from other components and than encode here - //w.write(org.gatein.common.text.EntityEncoder.FULL.encode(value)); - w.write(value); + { + if (escapeHTML_) + { + value = EntityEncoder.FULL.encode(value); + } + } + w.write(value); w.write("</textarea>"); if (this.isMandatory()) w.write(" *");