]
Trong Tran resolved GTNPORTAL-2073.
-----------------------------------
Assignee: Khoi Nguyen
Fix Version/s: 3.2.0-M02
Resolution: Done
XSS encoding in UIFormTextAreaInput.java
----------------------------------------
Key: GTNPORTAL-2073
URL:
https://issues.jboss.org/browse/GTNPORTAL-2073
Project: GateIn Portal
Issue Type: Enhancement
Security Level: Public(Everyone can see)
Reporter: Honza Fnukal
Assignee: Khoi Nguyen
Labels: worked, xss
Fix For: 3.2.0-M02
Fight place where to encode value is when rendering as this is UI component
responsibility.
This component is used by many others, and some pass value encoded, some not.
Eg:
In UIGadgetEditor is this method and it encodes value, this cause double encoding:
public void processRender(WebuiRequestContext context) throws Exception
{
UIFormTextAreaInput uiInputSource = getUIFormTextAreaInput(FIELD_SOURCE);
UIFormStringInput uiInputName = getUIStringInput(FIELD_NAME);
String encoded =
StringEscapeUtils.escapeHtml(StringEscapeUtils.unescapeHtml(uiInputSource.getValue()));
uiInputSource.setValue(encoded);
if(this.isEdit()) { uiInputName.setEditable(false); }
super.processRender(context);
}
There is probably more code like this, I thin the best is clean it up here.
Unfortunately it is probably in SP in similar way too. If we disable encoding in
UIFormTextAreaInput, it will fix double encoding, but enable XSS where it is not encoded.
This task track such places and remove encoding from other places.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: