Details
-
Type: Bug
-
Status: Closed
-
Priority: Critical
-
Resolution: Fixed
-
Affects Version/s: 1.8.1, 1.8.3
-
Fix Version/s: 1.8.2-EE-GA
-
Component/s: ICE-Components
-
Labels:None
-
Environment:..
-
ICEsoft Forum Reference:
Description
Assume an inputText (or even selectInputDate) with a date converter and a ice:messages component.
When the user enters JavaScript (<script>alert('hello!')</script>), the messages component will be executed!
This does not happen with pure JSF and facelts.
---code---
<ice:messages />
<ice:inputText id="fromReport" title="title" renderAsPopup="true"
popupDateFormat="dd.MM.yyyy">
<f:convertDateTime pattern="dd.MM.yyyy" />
</ice:inputText>
<ice:selectInputDate id="fromReport" title="title" renderAsPopup="true"
popupDateFormat="dd.MM.yyyy" partialSubmit="true">
<f:convertDateTime pattern="dd.MM.yyyy" />
</ice:selectInputDate>
<ice:commandButton value="Submit Application" />
---code---
When the user enters JavaScript (<script>alert('hello!')</script>), the messages component will be executed!
This does not happen with pure JSF and facelts.
---code---
<ice:messages />
<ice:inputText id="fromReport" title="title" renderAsPopup="true"
popupDateFormat="dd.MM.yyyy">
<f:convertDateTime pattern="dd.MM.yyyy" />
</ice:inputText>
<ice:selectInputDate id="fromReport" title="title" renderAsPopup="true"
popupDateFormat="dd.MM.yyyy" partialSubmit="true">
<f:convertDateTime pattern="dd.MM.yyyy" />
</ice:selectInputDate>
<ice:commandButton value="Submit Application" />
---code---
With stock JSF, the ResponseWriter automatically does escaping. With our D2D rendering, the components themselves have to make use of the DOMUtils.escapeAnsi(String) utility method. MessageRenderer and MessagesRenderer should be modified to make use of it.