ICEfaces
  1. ICEfaces
  2. ICE-5854

Output components don't escape JavaScript

          Details

          • Type: Bug Bug
          • Status: Closed
          • Priority: Major Major
          • Resolution: Fixed
          • Affects Version/s: 1.8.2-EE-GA_P01, 2.0-Beta2
          • Fix Version/s: 2.0.0
          • Component/s: Framework, ICE-Components
          • Labels:
            None
          • Environment:
            All
          • Workaround Exists:
            Yes
          • Workaround Description:
            Hide
            Escape the value before passing it in:

            import com.icesoft.faces.util.DOMUtils;

            escaped = DOMUtils.escapeAnsi(value);
            Show
            Escape the value before passing it in: import com.icesoft.faces.util.DOMUtils; escaped = DOMUtils.escapeAnsi(value);

            Description

            The ICEfaces output component are not escaped by default which makes them vulnerable to cross site scripting attacks. The <ice:outputText> uses the escape attribute but the other output components do not (ex: <ice:selectOneMenu/>). Doing a test in a pure JSF application reveals that the JSF framework by default filters/escapes JavaScript by default.

              Activity

              Ascending order - Click to sort in descending order
              8 older comments
              Hide
              Permalink
              Ted Goddard added a comment -

              Verified problem to still be present with ICEfaces 2.0 compat.

              For instance, the following string will result in script execution when set on the selectOne:

              <script>alert('hello')</script>

              Show
              Ted Goddard added a comment - Verified problem to still be present with ICEfaces 2.0 compat. For instance, the following string will result in script execution when set on the selectOne: <script>alert('hello')</script>
              Hide
              Permalink
              Ted Goddard added a comment -

              Attached file can be unzipped in component-showcase expanded directory to reproduce the problem.

              Show
              Ted Goddard added a comment - Attached file can be unzipped in component-showcase expanded directory to reproduce the problem.
              Hide
              Permalink
              Ted Goddard added a comment -

              Code from compat/core/src/main/java/com/icesoft/faces/renderkit/dom_html_basic/MenuRenderer.java

              Text labelNode = doc.createTextNode(label == null ? valueString : label);

              A DOM Text object is created directly from the component valueString. Most calls to createTextNode are invoked via domContext.createTextNode(), many are of the form

              domContext.getDocument().createTextNode(detail);

              The legacy DOMContext API could be modified to perform escaping and the few remaining cases that operate on the DOM directly could be replaced with DOMContext versions.

              Show
              Ted Goddard added a comment - Code from compat/core/src/main/java/com/icesoft/faces/renderkit/dom_html_basic/MenuRenderer.java Text labelNode = doc.createTextNode(label == null ? valueString : label); A DOM Text object is created directly from the component valueString. Most calls to createTextNode are invoked via domContext.createTextNode(), many are of the form domContext.getDocument().createTextNode(detail); The legacy DOMContext API could be modified to perform escaping and the few remaining cases that operate on the DOM directly could be replaced with DOMContext versions.
              Hide
              Permalink
              Ted Goddard added a comment -

              Compat components have been modified to use createTextNodeUnescaped only when necessary. Note that there are possible script injection attacks through some of the scripts generated by components, for instance:

              Ice.FCKeditor.register ('iceform:iceInpRchTxt', new Ice.FCKeditor('iceform:iceInpRchTxt', 'en', '', '/component-showcase/icefaces/resource/LTQ5MTYyMDg1Mw==/','600', '275', 'Default', 'null', 'silver'))

              The 'null' in the above consists of options passed to the editor component. If these options are dynamically generated from user input, there is the possibility of script injection attacks.

              Show
              Ted Goddard added a comment - Compat components have been modified to use createTextNodeUnescaped only when necessary. Note that there are possible script injection attacks through some of the scripts generated by components, for instance: Ice.FCKeditor.register ('iceform:iceInpRchTxt', new Ice.FCKeditor('iceform:iceInpRchTxt', 'en', '', '/component-showcase/icefaces/resource/LTQ5MTYyMDg1Mw==/','600', '275', 'Default', 'null', 'silver')) The 'null' in the above consists of options passed to the editor component. If these options are dynamically generated from user input, there is the possibility of script injection attacks.
              Hide
              Permalink
              Ted Goddard added a comment -

              The fix was not overly complex and could be back-ported to ICEfaces 1.8 if required.

              Show
              Ted Goddard added a comment - The fix was not overly complex and could be back-ported to ICEfaces 1.8 if required.

                People

                • Assignee:
                  Ted Goddard
                  Reporter:
                  Arran Mccullough
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  0 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: