Details
-
Type: Bug
-
Status: Closed
-
Priority: Critical
-
Resolution: Fixed
-
Affects Version/s: 1.8.1, 1.8.3
-
Fix Version/s: 1.8.2-EE-GA
-
Component/s: ICE-Components
-
Labels:None
-
Environment:..
-
ICEsoft Forum Reference:
Description
Assume an inputText (or even selectInputDate) with a date converter and a ice:messages component.
When the user enters JavaScript (<script>alert('hello!')</script>), the messages component will be executed!
This does not happen with pure JSF and facelts.
---code---
<ice:messages />
<ice:inputText id="fromReport" title="title" renderAsPopup="true"
popupDateFormat="dd.MM.yyyy">
<f:convertDateTime pattern="dd.MM.yyyy" />
</ice:inputText>
<ice:selectInputDate id="fromReport" title="title" renderAsPopup="true"
popupDateFormat="dd.MM.yyyy" partialSubmit="true">
<f:convertDateTime pattern="dd.MM.yyyy" />
</ice:selectInputDate>
<ice:commandButton value="Submit Application" />
---code---
When the user enters JavaScript (<script>alert('hello!')</script>), the messages component will be executed!
This does not happen with pure JSF and facelts.
---code---
<ice:messages />
<ice:inputText id="fromReport" title="title" renderAsPopup="true"
popupDateFormat="dd.MM.yyyy">
<f:convertDateTime pattern="dd.MM.yyyy" />
</ice:inputText>
<ice:selectInputDate id="fromReport" title="title" renderAsPopup="true"
popupDateFormat="dd.MM.yyyy" partialSubmit="true">
<f:convertDateTime pattern="dd.MM.yyyy" />
</ice:selectInputDate>
<ice:commandButton value="Submit Application" />
---code---
Activity
Stefan Zeller
created issue -
Stefan Zeller
made changes -
Field | Original Value | New Value |
---|---|---|
Salesforce Case | [] | |
Priority | Major [ 3 ] | Critical [ 2 ] |
Ted Goddard
made changes -
Salesforce Case | [] | |
Fix Version/s | 1.8.2-EE [ 10216 ] | |
Assignee | Ken Fyten [ ken.fyten ] |
Ken Fyten
made changes -
Salesforce Case | [] | |
Assignee Priority | P2 | |
Assignee | Ken Fyten [ ken.fyten ] | Mark Collette [ mark.collette ] |
Ken Fyten
made changes -
Salesforce Case | [] | |
Affects Version/s | 1.8.3 [ 10211 ] |
Repository | Revision | Date | User | Message |
ICEsoft Public SVN Repository | #19699 | Mon Nov 16 10:08:38 MST 2009 | yip.ng | |
Files Changed | ||||
MODIFY
/icefaces/trunk/icefaces/core/src/com/icesoft/faces/renderkit/dom_html_basic/MessageRenderer.java
MODIFY /icefaces/trunk/icefaces/core/src/com/icesoft/faces/renderkit/dom_html_basic/MessagesRenderer.java |
yip.ng
made changes -
Attachment | screenshot-1.png [ 12099 ] |
yip.ng
made changes -
Status | Open [ 1 ] | Resolved [ 5 ] |
Resolution | Fixed [ 1 ] |
Ken Fyten
made changes -
Status | Resolved [ 5 ] | Closed [ 6 ] |
Assignee Priority | P2 | |
Assignee | Mark Collette [ mark.collette ] |
Repository | Revision | Date | User | Message |
ICEsoft Public SVN Repository | #36436 | Thu Jun 27 12:56:25 MDT 2013 | arran.mccullough | |
Files Changed | ||||
MODIFY
/icefaces/scratchpads/patches/ICEfaces-1.8.2-MPFSA-Build/icefaces/core/src/com/icesoft/faces/renderkit/dom_html_basic/MessageRenderer.java
MODIFY /icefaces/scratchpads/patches/ICEfaces-1.8.2-MPFSA-Build/icefaces/core/src/com/icesoft/faces/renderkit/dom_html_basic/MessagesRenderer.java |
With stock JSF, the ResponseWriter automatically does escaping. With our D2D rendering, the components themselves have to make use of the DOMUtils.escapeAnsi(String) utility method. MessageRenderer and MessagesRenderer should be modified to make use of it.