ICEfaces
  1. ICEfaces
  2. ICE-4699

Cross Scripting Issue: ice:messages don't escape JavaScript

          Details

          • Type: Bug Bug
          • Status: Closed
          • Priority: Critical Critical
          • Resolution: Fixed
          • Affects Version/s: 1.8.1, 1.8.3
          • Fix Version/s: 1.8.2-EE-GA
          • Component/s: ICE-Components
          • Labels:
            None
          • Environment:
            ..

            Description

            Assume an inputText (or even selectInputDate) with a date converter and a ice:messages component.

            When the user enters JavaScript (<script>alert('hello!')</script>), the messages component will be executed!

            This does not happen with pure JSF and facelts.

            ---code---
            <ice:messages />

            <ice:inputText id="fromReport" title="title" renderAsPopup="true"
            popupDateFormat="dd.MM.yyyy">
            <f:convertDateTime pattern="dd.MM.yyyy" />
            </ice:inputText>

            <ice:selectInputDate id="fromReport" title="title" renderAsPopup="true"
            popupDateFormat="dd.MM.yyyy" partialSubmit="true">
            <f:convertDateTime pattern="dd.MM.yyyy" />
            </ice:selectInputDate>

            <ice:commandButton value="Submit Application" />
            ---code---

              Activity

              Ascending order - Click to sort in descending order
              Stefan Zeller created issue -
              Stefan Zeller made changes -
              Field Original Value New Value
              Salesforce Case []
              Priority Major [ 3 ] Critical [ 2 ]
              Ted Goddard made changes -
              Salesforce Case []
              Fix Version/s 1.8.2-EE [ 10216 ]
              Assignee Ken Fyten [ ken.fyten ]
              Ken Fyten made changes -
              Salesforce Case []
              Assignee Priority P2
              Assignee Ken Fyten [ ken.fyten ] Mark Collette [ mark.collette ]
              Ken Fyten made changes -
              Salesforce Case []
              Affects Version/s 1.8.3 [ 10211 ]
              Hide
              Permalink
              Mark Collette added a comment -

              With stock JSF, the ResponseWriter automatically does escaping. With our D2D rendering, the components themselves have to make use of the DOMUtils.escapeAnsi(String) utility method. MessageRenderer and MessagesRenderer should be modified to make use of it.

              Show
              Mark Collette added a comment - With stock JSF, the ResponseWriter automatically does escaping. With our D2D rendering, the components themselves have to make use of the DOMUtils.escapeAnsi(String) utility method. MessageRenderer and MessagesRenderer should be modified to make use of it.
              Repository Revision Date User Message
              ICEsoft Public SVN Repository #19699 Mon Nov 16 10:08:38 MST 2009 yip.ng ICE-4699: Added escaping messages.
              Files Changed
              Commit graph MODIFY /icefaces/trunk/icefaces/core/src/com/icesoft/faces/renderkit/dom_html_basic/MessageRenderer.java
              Commit graph MODIFY /icefaces/trunk/icefaces/core/src/com/icesoft/faces/renderkit/dom_html_basic/MessagesRenderer.java
              yip.ng made changes -
              Attachment screenshot-1.png [ 12099 ]
              Hide
              Permalink
              yip.ng added a comment -

              Fixed as suggested by Mark. See screenshot-1.

              Show
              yip.ng added a comment - Fixed as suggested by Mark. See screenshot-1.
              yip.ng made changes -
              Status Open [ 1 ] Resolved [ 5 ]
              Resolution Fixed [ 1 ]
              Hide
              Permalink
              Joanne Bai added a comment -

              QA confirmed the fix using component showcase jsp on ICEfaces-ee-1.8.2 branch revision #19725
              Tested on: Tomcat 6 + FF3.5 and IE8

              Testing steps:
              -> load component showcase jsp in the browser and navigate to the Calendar page
              -> in date entry box, enter <script>alert('hello!')</script> and then tab out
              -> should see a message saying something like "iceform:sdSub:popupDatePttrn1: '<script>alert('hello!')</script>' could not be understood as a date.". A popup with text "hello" should not show up.

              Show
              Joanne Bai added a comment - QA confirmed the fix using component showcase jsp on ICEfaces-ee-1.8.2 branch revision #19725 Tested on: Tomcat 6 + FF3.5 and IE8 Testing steps: -> load component showcase jsp in the browser and navigate to the Calendar page -> in date entry box, enter <script>alert('hello!')</script> and then tab out -> should see a message saying something like "iceform:sdSub:popupDatePttrn1: '<script>alert('hello!')</script>' could not be understood as a date.". A popup with text "hello" should not show up.
              Ken Fyten made changes -
              Status Resolved [ 5 ] Closed [ 6 ]
              Assignee Priority P2
              Assignee Mark Collette [ mark.collette ]
              Repository Revision Date User Message
              ICEsoft Public SVN Repository #36436 Thu Jun 27 12:56:25 MDT 2013 arran.mccullough ICE-4699: Added escaping messages.
              Files Changed
              Commit graph MODIFY /icefaces/scratchpads/patches/ICEfaces-1.8.2-MPFSA-Build/icefaces/core/src/com/icesoft/faces/renderkit/dom_html_basic/MessageRenderer.java
              Commit graph MODIFY /icefaces/scratchpads/patches/ICEfaces-1.8.2-MPFSA-Build/icefaces/core/src/com/icesoft/faces/renderkit/dom_html_basic/MessagesRenderer.java

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  Stefan Zeller
                • Votes:
                  2 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: