Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Critical
-
Resolution: Fixed
-
Affects Version/s: 1.8.1, 1.8.3
-
Fix Version/s: 1.8.2-EE-GA
-
Component/s: ICE-Components
-
Labels:None
-
Environment:..
-
ICEsoft Forum Reference:
Description
Assume an inputText (or even selectInputDate) with a date converter and a ice:messages component.
When the user enters JavaScript (<script>alert('hello!')</script>), the messages component will be executed!
This does not happen with pure JSF and facelts.
---code---
<ice:messages />
<ice:inputText id="fromReport" title="title" renderAsPopup="true"
popupDateFormat="dd.MM.yyyy">
<f:convertDateTime pattern="dd.MM.yyyy" />
</ice:inputText>
<ice:selectInputDate id="fromReport" title="title" renderAsPopup="true"
popupDateFormat="dd.MM.yyyy" partialSubmit="true">
<f:convertDateTime pattern="dd.MM.yyyy" />
</ice:selectInputDate>
<ice:commandButton value="Submit Application" />
---code---
When the user enters JavaScript (<script>alert('hello!')</script>), the messages component will be executed!
This does not happen with pure JSF and facelts.
---code---
<ice:messages />
<ice:inputText id="fromReport" title="title" renderAsPopup="true"
popupDateFormat="dd.MM.yyyy">
<f:convertDateTime pattern="dd.MM.yyyy" />
</ice:inputText>
<ice:selectInputDate id="fromReport" title="title" renderAsPopup="true"
popupDateFormat="dd.MM.yyyy" partialSubmit="true">
<f:convertDateTime pattern="dd.MM.yyyy" />
</ice:selectInputDate>
<ice:commandButton value="Submit Application" />
---code---
Activity
- All
- Comments
- History
- Activity
- Remote Attachments
- Subversion