[ICE-7658] CLONE -Output components don't escape JavaScript - ICEsoft JIRA Issue Tracker

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.8.2-EE-GA_P01, 2.0-Beta2
Fix Version/s: EE-1.8.2.GA_P04
Component/s: Framework, ICE-Components
Labels:
None
Environment:
All

Workaround Exists:

Yes
Workaround Description:

Hide
Escape the value before passing it in:

import com.icesoft.faces.util.DOMUtils;

escaped = DOMUtils.escapeAnsi(value);

Show
Escape the value before passing it in: import com.icesoft.faces.util.DOMUtils; escaped = DOMUtils.escapeAnsi(value);

Description

The ICEfaces output component are not escaped by default which makes them vulnerable to cross site scripting attacks. The <ice:outputText> uses the escape attribute but the other output components do not (ex: <ice:selectOneMenu/>). Doing a test in a pure JSF application reveals that the JSF framework by default filters/escapes JavaScript by default.

Activity

Ascending order - Click to sort in descending order

Arran Mccullough created issue - 12/Jan/12 12:02 PM

Arran Mccullough made changes - 12/Jan/12 12:03 PM

Field	Original Value	New Value
Salesforce Case	[5007000000C47HV]	[5007000000KENdT]
Fix Version/s		EE-1.8.2.GA_P04 [ 10280 ]
Fix Version/s	2.0.0 [ 10230 ]

Ted Goddard made changes - 12/Jan/12 12:09 PM

Assignee

Ted Goddard [ ted.goddard ]

Arran Mccullough [ arran.mccullough ]

Arran Mccullough made changes - 12/Jan/12 12:36 PM

Assignee

Arran Mccullough [ arran.mccullough ]

Ted Goddard [ ted.goddard ]

Ted Goddard made changes - 17/Jan/12 12:42 PM

Status	Open [ 1 ]	Resolved [ 5 ]
Resolution		Fixed [ 1 ]

Ken Fyten made changes - 23/Apr/12 12:01 PM

Status

Resolved [ 5 ]

Closed [ 6 ]

People

Assignee:

Ted Goddard

Reporter:

Arran Mccullough

Votes:

1 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

12/Jan/12 12:02 PM

Updated:

23/Apr/12 12:01 PM

Resolved:

17/Jan/12 12:42 PM