ICEfaces
  1. ICEfaces
  2. ICE-4699

Cross Scripting Issue: ice:messages don't escape JavaScript

          Details

          • Type: Bug Bug
          • Status: Closed
          • Priority: Critical Critical
          • Resolution: Fixed
          • Affects Version/s: 1.8.1, 1.8.3
          • Fix Version/s: 1.8.2-EE-GA
          • Component/s: ICE-Components
          • Labels:
            None
          • Environment:
            ..

            Description

            Assume an inputText (or even selectInputDate) with a date converter and a ice:messages component.

            When the user enters JavaScript (<script>alert('hello!')</script>), the messages component will be executed!

            This does not happen with pure JSF and facelts.

            ---code---
            <ice:messages />

            <ice:inputText id="fromReport" title="title" renderAsPopup="true"
            popupDateFormat="dd.MM.yyyy">
            <f:convertDateTime pattern="dd.MM.yyyy" />
            </ice:inputText>

            <ice:selectInputDate id="fromReport" title="title" renderAsPopup="true"
            popupDateFormat="dd.MM.yyyy" partialSubmit="true">
            <f:convertDateTime pattern="dd.MM.yyyy" />
            </ice:selectInputDate>

            <ice:commandButton value="Submit Application" />
            ---code---

              Activity

              Descending order - Click to sort in ascending order
              Hide
              Permalink
              Joanne Bai added a comment -

              QA confirmed the fix using component showcase jsp on ICEfaces-ee-1.8.2 branch revision #19725
              Tested on: Tomcat 6 + FF3.5 and IE8

              Testing steps:
              -> load component showcase jsp in the browser and navigate to the Calendar page
              -> in date entry box, enter <script>alert('hello!')</script> and then tab out
              -> should see a message saying something like "iceform:sdSub:popupDatePttrn1: '<script>alert('hello!')</script>' could not be understood as a date.". A popup with text "hello" should not show up.

              Show
              Joanne Bai added a comment - QA confirmed the fix using component showcase jsp on ICEfaces-ee-1.8.2 branch revision #19725 Tested on: Tomcat 6 + FF3.5 and IE8 Testing steps: -> load component showcase jsp in the browser and navigate to the Calendar page -> in date entry box, enter <script>alert('hello!')</script> and then tab out -> should see a message saying something like "iceform:sdSub:popupDatePttrn1: '<script>alert('hello!')</script>' could not be understood as a date.". A popup with text "hello" should not show up.
              Hide
              Permalink
              yip.ng added a comment -

              Fixed as suggested by Mark. See screenshot-1.

              Show
              yip.ng added a comment - Fixed as suggested by Mark. See screenshot-1.
              Hide
              Permalink
              Mark Collette added a comment -

              With stock JSF, the ResponseWriter automatically does escaping. With our D2D rendering, the components themselves have to make use of the DOMUtils.escapeAnsi(String) utility method. MessageRenderer and MessagesRenderer should be modified to make use of it.

              Show
              Mark Collette added a comment - With stock JSF, the ResponseWriter automatically does escaping. With our D2D rendering, the components themselves have to make use of the DOMUtils.escapeAnsi(String) utility method. MessageRenderer and MessagesRenderer should be modified to make use of it.

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  Stefan Zeller
                • Votes:
                  2 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: