ICEfaces
  1. ICEfaces
  2. ICE-4699

Cross Scripting Issue: ice:messages don't escape JavaScript

          Details

          • Type: Bug Bug
          • Status: Closed
          • Priority: Critical Critical
          • Resolution: Fixed
          • Affects Version/s: 1.8.1, 1.8.3
          • Fix Version/s: 1.8.2-EE-GA
          • Component/s: ICE-Components
          • Labels:
            None
          • Environment:
            ..

            Description

            Assume an inputText (or even selectInputDate) with a date converter and a ice:messages component.

            When the user enters JavaScript (<script>alert('hello!')</script>), the messages component will be executed!

            This does not happen with pure JSF and facelts.

            ---code---
            <ice:messages />

            <ice:inputText id="fromReport" title="title" renderAsPopup="true"
            popupDateFormat="dd.MM.yyyy">
            <f:convertDateTime pattern="dd.MM.yyyy" />
            </ice:inputText>

            <ice:selectInputDate id="fromReport" title="title" renderAsPopup="true"
            popupDateFormat="dd.MM.yyyy" partialSubmit="true">
            <f:convertDateTime pattern="dd.MM.yyyy" />
            </ice:selectInputDate>

            <ice:commandButton value="Submit Application" />
            ---code---

              People

              • Assignee:
                Unassigned
                Reporter:
                Stefan Zeller
              • Votes:
                2 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: