[gatein-issues] [JBoss JIRA] Commented: (GTNPORTAL-2073) XSS encoding in UIFormTextAreaInput.java

[Khoi Nguyen (JIRA)]

    [ https://issues.jboss.org/browse/GTNPORTAL-2073?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12625671#comment-12625671 ] 

Khoi Nguyen commented on GTNPORTAL-2073:
----------------------------------------

Should we also do the same thing with other ones. For example UIFormStringInput or Table?

> XSS encoding in UIFormTextAreaInput.java
> ----------------------------------------
>
>                 Key: GTNPORTAL-2073
>                 URL: https://issues.jboss.org/browse/GTNPORTAL-2073
>             Project: GateIn Portal
>          Issue Type: Enhancement
>      Security Level: Public(Everyone can see) 
>            Reporter: Honza Fnukal
>              Labels: xss
>
> Fight place where to encode value is when rendering as this is UI component responsibility.
> This component is used by many others, and some pass value encoded, some not.
> Eg:
> In UIGadgetEditor is this method and it encodes value, this cause double encoding:
> public void processRender(WebuiRequestContext context) throws Exception
> {
> UIFormTextAreaInput uiInputSource = getUIFormTextAreaInput(FIELD_SOURCE);
> UIFormStringInput uiInputName = getUIStringInput(FIELD_NAME);
> String encoded = StringEscapeUtils.escapeHtml(StringEscapeUtils.unescapeHtml(uiInputSource.getValue()));
> uiInputSource.setValue(encoded);
> if(this.isEdit()) { uiInputName.setEditable(false); }
> super.processRender(context);
> }
> There is probably more code like this, I thin the best is clean it up here.
> Unfortunately it is probably in SP in similar way too. If we disable encoding in UIFormTextAreaInput, it will fix double encoding, but enable XSS where it is not encoded.
> This task track such places and remove encoding from other places.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira