[jbossseam-issues] [JBoss JIRA] Closed: (JBSEAM-4220) <s:formattedText> + <rich:editor useSeamText=true> exception with use of <object ... > :flash video displaying

Christian Bauer (JIRA) jira-events at lists.jboss.org
Thu Jun 4 07:43:56 EDT 2009


     [ https://jira.jboss.org/jira/browse/JBSEAM-4220?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Christian Bauer closed JBSEAM-4220.
-----------------------------------

    Resolution: Rejected


Use your real name if you want to talk to someone here.

Seam Text does not allow you to create Flash XSS holes. What you are doing is evil.

    /**
     * Implementation of the rules in http://wiki.whatwg.org/wiki/Sanitization_rules
     *
     * <pre>
     * Changes and additions:
     *
     * 1. Expanded all -* wildcard values to their full CSS property name (e.g. border-*).
     *
     * 2. Added dash as allowed characater to REGEX_VALID_CSS_STRING1.
     *
     * 3. Improved REGEX_VALID_CSS_VALUE with range {n,m} checks for color values and negative units.
     *
     * 4. Added more options (mostly of vertical-align property, e.g. "middle", "text-top") as allowed CSS values.
     *
     * 5. Added "max-height", "max-width", "min-height", "min-width" to CSS properties.
     *
     * 6. Removed 'data' URI scheme.
     *
     * 7. Not implemented filtering of CSS url() - it's an invalid value always.
     *
     * 8. Removed all &lt;form&gt;, &lt;input&gt; and other form tags. Attackers might use them compromise 
     *    "outer" forms when entering markup in a textarea.
     * </pre>
     *
     */
    public static class DefaultSanitizer implements SeamTextParser.Sanitizer




> <s:formattedText> + <rich:editor useSeamText=true> exception with use of <object ... > :flash video displaying
> --------------------------------------------------------------------------------------------------------------
>
>                 Key: JBSEAM-4220
>                 URL: https://jira.jboss.org/jira/browse/JBSEAM-4220
>             Project: Seam
>          Issue Type: Bug
>    Affects Versions: 2.1.2.CR2
>         Environment: Seam 2.1.2CR2, RichFaces 3.3.1,Eclipse 3.3,JBoss 4.22,WinXp 
>            Reporter: bb bb
>
> I would like to display a flash video with rich:editor the use of useSeamText=true parameter
> with <s:formattedText> displaying tags. But it doesn't work.
> 1.
> If i use useSeamText=false I get the following error when I would like to display the value of the editor.
> a.
> If I remove the escape="false" parameter the <object...> is escaped, so the video is not appeared.
> <h:outputText value="#{editortext}" escape="false"/> <br/> <--working version,but i get exception
> b.
> With the use of <s:formattedText value="#{editortext}"/> the video is not appear, because not escape parameter.
> and I get the same exception.
> 2:57:35,609 INFO [STDOUT] invalid element 'object'
> 12:57:35,609 ERROR [STDERR] invalid element 'object'
> 12:57:35,609 ERROR [STDERR] at org.jboss.seam.text.SeamTextParser.openTag(SeamTextParser.java:2268)
> 12:57:35,609 ERROR [STDERR] at org.jboss.seam.text.SeamTextParser.html(SeamTextParser.java:946)
> 12:57:35,609 ERROR [STDERR] at org.jboss.seam.text.SeamTextParser.body(SeamTextParser.java:2414)
> 12:57:35,609 ERROR [STDERR] at org.jboss.seam.text.SeamTextParser.html(SeamTextParser.java:969)
> 12:57:35,609 ERROR [STDERR] at org.jboss.seam.text.SeamTextParser.text(SeamTextParser.java:732)
> 12:57:35,609 ERROR [STDERR] at org.jboss.seam.text.SeamTextParser.startRule(SeamTextParser.java:614)
> 12:57:35,609 ERROR [STDERR] at com.backbone.dvc.util.TextUtil.getFormattedContent(TextUtil.java:26)
> 12:57:35,609 ERROR [STDERR] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 12:57:35,609 ERROR [STDERR] at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> 12:57:35,609 ERROR [STDERR] at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> 12:57:35,609 ERROR [STDERR] at java.lang.reflect.Method.invoke(Unknown Source)
> 12:57:35,609 ERROR [STDERR] at org.jboss.seam.util.Reflections.invoke(Reflections.java:22)
> 12:57:35,609 ERROR [STDERR] at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:32)
> 12:57:35,609 ERROR [STDERR] at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56)
> 12:57:35,609 ERROR [STDERR] at org.jboss.seam.transaction.RollbackInterceptor.aroundInvoke(RollbackInterceptor.java:28)
> 12:57:35,609 ERROR [STDERR] at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
> 12:57:35,609 ERROR [STDERR] at org.jboss.seam.bpm.BusinessProcessInterceptor.aroundInvoke(BusinessProcessInterceptor.java:51)
> 12:57:35,609 ERROR [STDERR] at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
> 12:57:35,609 ERROR [STDERR] at org.jboss.seam.core.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:44)
> 12:57:35,609 ERROR [STDERR] at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
> 12:57:35,609 ERROR [STDERR] at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107)
> 12:57:35,609 ERROR [STDERR] at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:185)
> 12:57:35,609 ERROR [STDERR] at org.jboss.seam.intercept.JavaBeanInterceptor.invoke(JavaBeanInterceptor.java:103)
> 12:57:35,609 ERROR [STDERR] at com.backbone.dvc.util.TextUtil_$$_javassist_seam_14.getFormattedContent(TextUtil_$$_javassist_seam_14.java)
> 12:57:35,609 ERROR [STDERR] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 12:57:35,609 ERROR [STDERR] at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> 12:57:35,609 ERROR [STDERR] at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> 12:57:35,609 ERROR [STDERR] at java.lang.reflect.Method.invoke(Unknown Source)
> 12:57:35,609 ERROR [STDERR] at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:335)
> 12:57:35,609 ERROR [STDERR] at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:280)
> 12:57:35,609 ERROR [STDERR] at org.jboss.el.parser.AstMethodSuffix.getValue(AstMethodSuffix.java:59)
> 12:57:35,609 ERROR [STDERR] at org.jboss.el.parser.AstValue.getValue(AstValue.java:67)
> 12:57:35,609 ERROR [STDERR] at org.jboss.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:186)
> 12:57:35,609 ERROR [STDERR] at com.sun.facelets.el.ELText$ELTextVariable.toString(ELText.java:174)
> 12:57:35,609 ERROR [STDERR] at com.sun.facelets.el.ELText$ELTextComposite.toString(ELText.java:115)
> 12:57:35,609 ERROR [STDERR] at com.sun.facelets.compiler.CommentInstruction.write(CommentInstruction.java:38)
> 12:57:35,609 ERROR [STDERR] at com.sun.facelets.compiler.UIInstructions.encodeBegin(UIInstructions.java:39)
> 12:57:35,609 ERROR [STDERR] at com.sun.faces.renderkit.html_basic.HtmlBasicRenderer.encodeRecursive(HtmlBasicRenderer.java:269)
> 12:57:35,609 ERROR [STDERR] at com.sun.faces.renderkit.html_basic.GridRenderer.encodeChildren(GridRenderer.java:242)
> 12:57:35,609 ERROR [STDERR] at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:812)
> 12:57:35,609 ERROR [STDERR] at org.ajax4jsf.renderkit.RendererBase.renderChild(RendererBase.java:277)
> 12:57:35,609 ERROR [STDERR] at org.ajax4jsf.renderkit.RendererBase.renderChildren(RendererBase.java:258)
> 12:57:35,609 ERROR [STDERR] at org.richfaces.renderkit.html.PanelRenderer.doEncodeChildren(PanelRenderer.java:220)
> 12:57:35,609 ERROR [STDERR] at org.richfaces.renderkit.html.PanelRenderer.doEncodeChildren(PanelRenderer.java:215)
> 12:57:35,609 ERROR [STDERR] at org.ajax4jsf.renderkit.RendererBase.encodeChildren(RendererBase.java:120)
> 12:57:35,609 ERROR [STDERR] at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:812)
> 12:57:35,609 ERROR [STDERR] at org.ajax4jsf.renderkit.RendererBase.renderChild(RendererBase.java:277)
> 12:57:35,609 ERROR [STDERR] at org.ajax4jsf.renderkit.RendererBase.renderChildren(RendererBase.java:258)
> 12:57:35,609 ERROR [STDERR] at org.ajax4jsf.renderkit.RendererBase.renderChild(RendererBase.java:279)
> 12:57:35,609 ERROR [STDERR] at org.ajax4jsf.renderkit.RendererBase.renderChildren(RendererBase.java:258)
> 12:57:35,609 ERROR [STDERR] at org.ajax4jsf.renderkit.html.AjaxOutputPanelRenderer.encodeChildren(AjaxOutputPanelRenderer.java:78)
> 12:57:35,609 ERROR [STDERR] at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:812)
> 12:57:35,609 ERROR [STDERR] at javax.faces.component.UIComponent.encodeAll(UIComponent.java:886)
> 12:57:35,609 ERROR [STDERR] at javax.faces.component.UIComponent.encodeAll(UIComponent.java:892)
> 12:57:35,609 ERROR [STDERR] at com.sun.facelets.FaceletViewHandler.renderView(FaceletViewHandler.java:592)
> 12:57:35,609 ERROR [STDERR] at org.ajax4jsf.application.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:100)
> 12:57:35,609 ERROR [STDERR] at org.ajax4jsf.application.AjaxViewHandler.renderView(AjaxViewHandler.java:176)
> 12:57:35,609 ERROR [STDERR] at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:106)
> 12:57:35,609 ERROR [STDERR] at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:251)
> 12:57:35,609 ERROR [STDERR] at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:144)
> 12:57:35,609 ERROR [STDERR] at javax.faces.webapp.FacesServlet.service(FacesServlet.java:245)
> 12:57:35,609 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> 12:57:35,609 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> 12:57:35,609 ERROR [STDERR] at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:510)
> 12:57:35,609 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> 12:57:35,609 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> 12:57:35,609 ERROR [STDERR] at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)
> 12:57:35,609 ERROR [STDERR] at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:445)
> 12:57:35,609 ERROR [STDERR] at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:379)
> 12:57:35,609 ERROR [STDERR] at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:292)
> 12:57:35,609 ERROR [STDERR] at org.jboss.seam.web.RewriteFilter.process(RewriteFilter.java:98)
> 12:57:35,609 ERROR [STDERR] at org.jboss.seam.web.RewriteFilter.doFilter(RewriteFilter.java:57)
> 12:57:35,609 ERROR [STDERR] at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
> 12:57:35,609 ERROR [STDERR] at org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40)
> 12:57:35,609 ERROR [STDERR] at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
> 12:57:35,656 ERROR [STDERR] at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90)
> 12:57:35,656 ERROR [STDERR] at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
> 12:57:35,656 ERROR [STDERR] at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
> 12:57:35,656 ERROR [STDERR] at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
> 12:57:35,656 ERROR [STDERR] at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
> 12:57:35,656 ERROR [STDERR] at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
> 12:57:35,656 ERROR [STDERR] at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:73)
> 12:57:35,656 ERROR [STDERR] at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:178)
> 12:57:35,656 ERROR [STDERR] at org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)
> 12:57:35,656 ERROR [STDERR] at org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:368)
> 12:57:35,656 ERROR [STDERR] at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:495)
> 12:57:35,656 ERROR [STDERR] at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
> 12:57:35,656 ERROR [STDERR] at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
> 12:57:35,656 ERROR [STDERR] at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
> 12:57:35,656 ERROR [STDERR] at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
> 12:57:35,656 ERROR [STDERR] at org.jboss.seam.web.HotDeployFilter.doFilter(HotDeployFilter.java:53)
> 12:57:35,656 ERROR [STDERR] at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
> 12:57:35,656 ERROR [STDERR] at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
> 12:57:35,656 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> 12:57:35,656 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> 12:57:35,656 ERROR [STDERR] at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
> 12:57:35,656 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> 12:57:35,656 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> 12:57:35,656 ERROR [STDERR] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
> 12:57:35,656 ERROR [STDERR] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
> 12:57:35,656 ERROR [STDERR] at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
> 12:57:35,656 ERROR [STDERR] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
> 12:57:35,656 ERROR [STDERR] at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
> 12:57:35,656 ERROR [STDERR] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> 12:57:35,656 ERROR [STDERR] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> 12:57:35,656 ERROR [STDERR] at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
> 12:57:35,656 ERROR [STDERR] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> 12:57:35,656 ERROR [STDERR] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
> 12:57:35,656 ERROR [STDERR] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
> 12:57:35,656 ERROR [STDERR] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
> 12:57:35,656 ERROR [STDERR] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
> 12:57:35,656 ERROR [STDERR] at java.lang.Thread.run(Unknown Source)
> 12:57:35,656 ERROR [STDERR] Caused by: line 1:15: invalid element 'object'
> 12:57:35,656 ERROR [STDERR] at org.jboss.seam.text.SeamTextParser$DefaultSanitizer.createSemanticException(SeamTextParser.java:403)
> 12:57:35,656 ERROR [STDERR] at org.jboss.seam.text.SeamTextParser$DefaultSanitizer.validateHtmlElement(SeamTextParser.java:281)
> 12:57:35,656 ERROR [STDERR] at org.jboss.seam.text.SeamTextParser.openTag(SeamTextParser.java:2256)
> 12:57:35,656 ERROR [STDERR] ... 111 more
> The value of the editor in the database:
> <object width="100" height="100" data="http://www.youtube.com/v/F4fPv450OYM" type="application/x-shockwave-flash">
> <param name="quality" value="-- Not set --" />
> <param name="scale" value="-- Not set --" />
> <param name="salign" value="-- Not set --" />
> <param name="wmode" value="-- Not set --" />
> <param name="src" value="http://www.youtube.com/v/F4fPv450OYM" />
> <param name="align" value="-- Not set --" />
> </object>
> 2.
> If i use useSeamText=true I don't get an error, and the video is not displayed.
> the <object ...> is not saved to the database(editor value)

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        



More information about the seam-issues mailing list