5:38 p.m.
XSS encoding in UIFormTextAreaInput.java
----------------------------------------
Key: GTNPORTAL-2073
URL: https://issues.jboss.org/browse/GTNPORTAL-2073
Project: GateIn Portal
Issue Type: Enhancement
Security Level: Public (Everyone can see)
Reporter: Honza Fnukal
Fight place where to encode value is when rendering as this is UI component
responsibility.
This component is used by many others, and some pass value encoded, some not.
Eg:
In UIGadgetEditor is this method and it encodes value, this cause double encoding:
public void processRender(WebuiRequestContext context) throws Exception
{
UIFormTextAreaInput uiInputSource = getUIFormTextAreaInput(FIELD_SOURCE);
UIFormStringInput uiInputName = getUIStringInput(FIELD_NAME);
String encoded =
StringEscapeUtils.escapeHtml(StringEscapeUtils.unescapeHtml(uiInputSource.getValue()));
uiInputSource.setValue(encoded);
if(this.isEdit()) { uiInputName.setEditable(false); }
super.processRender(context);
}
There is probably more code like this, I thin the best is clean it up here.
Unfortunately it is probably in SP in similar way too. If we disable encoding in
UIFormTextAreaInput, it will fix double encoding, but enable XSS where it is not encoded.
This task track such places and remove encoding from other places.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
11:02 a.m.
New subject: [JBoss JIRA] Commented: (GTNPORTAL-2073) XSS encoding in UIFormTextAreaInput.java
[
https://issues.jboss.org/browse/GTNPORTAL-2073?page=com.atlassian.jira.pl...
]
Khoi Nguyen commented on GTNPORTAL-2073:
----------------------------------------
Should we also do the same thing with other ones. For example UIFormStringInput or Table?
XSS encoding in UIFormTextAreaInput.java
----------------------------------------
Key: GTNPORTAL-2073
URL: https://issues.jboss.org/browse/GTNPORTAL-2073
Project: GateIn Portal
Issue Type: Enhancement
Security Level: Public(Everyone can see)
Reporter: Honza Fnukal
Labels: xss
Fight place where to encode value is when rendering as this is UI component
responsibility.
This component is used by many others, and some pass value encoded, some not.
Eg:
In UIGadgetEditor is this method and it encodes value, this cause double encoding:
public void processRender(WebuiRequestContext context) throws Exception
{
UIFormTextAreaInput uiInputSource = getUIFormTextAreaInput(FIELD_SOURCE);
UIFormStringInput uiInputName = getUIStringInput(FIELD_NAME);
String encoded =
StringEscapeUtils.escapeHtml(StringEscapeUtils.unescapeHtml(uiInputSource.getValue()));
uiInputSource.setValue(encoded);
if(this.isEdit()) { uiInputName.setEditable(false); }
super.processRender(context);
}
There is probably more code like this, I thin the best is clean it up here.
Unfortunately it is probably in SP in similar way too. If we disable encoding in
UIFormTextAreaInput, it will fix double encoding, but enable XSS where it is not encoded.
This task track such places and remove encoding from other places.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
12:22 p.m.
New subject: [JBoss JIRA] Resolved: (GTNPORTAL-2073) XSS encoding in UIFormTextAreaInput.java
[
https://issues.jboss.org/browse/GTNPORTAL-2073?page=com.atlassian.jira.pl...
]
Trong Tran resolved GTNPORTAL-2073.
-----------------------------------
Assignee: Khoi Nguyen
Fix Version/s: 3.2.0-M02
Resolution: Done
XSS encoding in UIFormTextAreaInput.java
----------------------------------------
Key: GTNPORTAL-2073
URL: https://issues.jboss.org/browse/GTNPORTAL-2073
Project: GateIn Portal
Issue Type: Enhancement
Security Level: Public(Everyone can see)
Reporter: Honza Fnukal
Assignee: Khoi Nguyen
Labels: worked, xss
Fix For: 3.2.0-M02
Fight place where to encode value is when rendering as this is UI component
responsibility.
This component is used by many others, and some pass value encoded, some not.
Eg:
In UIGadgetEditor is this method and it encodes value, this cause double encoding:
public void processRender(WebuiRequestContext context) throws Exception
{
UIFormTextAreaInput uiInputSource = getUIFormTextAreaInput(FIELD_SOURCE);
UIFormStringInput uiInputName = getUIStringInput(FIELD_NAME);
String encoded =
StringEscapeUtils.escapeHtml(StringEscapeUtils.unescapeHtml(uiInputSource.getValue()));
uiInputSource.setValue(encoded);
if(this.isEdit()) { uiInputName.setEditable(false); }
super.processRender(context);
}
There is probably more code like this, I thin the best is clean it up here.
Unfortunately it is probably in SP in similar way too. If we disable encoding in
UIFormTextAreaInput, it will fix double encoding, but enable XSS where it is not encoded.
This task track such places and remove encoding from other places.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
4655
days inactive
4688
days old
2 comments
3 participants
participants (3)
-
Honza Fnukal (JIRA) -
Khoi Nguyen (JIRA)
-
Trong Tran (JIRA)