[ICE-8806] ice:outputLabel - Add an escape attribute - ICEsoft JIRA Issue Tracker

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: EE-1.8.2.GA_P04
Fix Version/s: EE-1.8.2.GA_P06
Component/s: ICE-Components
Labels:
None
Environment:
All

Salesforce Case Reference:

Description

With the changes made to resolve XSS attacks in ~~ICE-5854~~, the ice:outputLabel no longer escapes the value. The feature request is to add in an escape attribute which will allow the developer to decide if it should be escaped or not. This would be similar functionality as the ice:outputText.

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Download All

Attachments

screenshot-01.png

319 kB

03/Jan/13 12:59 AM

Issue Links

depends on

ICE-8850 Add an escape attribute to the ICE output components

Open

Activity

Ascending order - Click to sort in descending order

Arran Mccullough created issue - 05/Dec/12 10:03 PM

Hide

Permalink

Arran Mccullough added a comment - 05/Dec/12 10:03 PM

A test case that shows this behavior can be provided.

Show

Arran Mccullough added a comment - 05/Dec/12 10:03 PM A test case that shows this behavior can be provided.

Arran Mccullough made changes - 05/Dec/12 10:04 PM

Field	Original Value	New Value
Salesforce Case Reference		5007000000PYbXoAAL

Ken Fyten made changes - 12/Dec/12 4:09 PM

Fix Version/s

EE-1.8.2.GA_P06 [ 10470 ]

Arran Mccullough made changes - 24/Dec/12 5:32 PM

Link

This issue depends on ICE-8850 [ ICE-8850 ]

Ken Fyten made changes - 02/Jan/13 4:30 PM

Assignee

yip.ng [ yip.ng ]

yip.ng made changes - 03/Jan/13 12:59 AM

Attachment

screenshot-01.png [ 15308 ]

Hide

Permalink

yip.ng added a comment - 03/Jan/13 1:13 AM - edited

Two problems:

1. Even with <ice:outputText>, the use of the "<" and "&" characters will generate SAXParseException. You must use the entities "<" and "&". (This rather defeats the usefulness of the escape attribute?) The ">" character is OK.

SEVERE: Parse Fatal Error at line 711 column 41: The value of attribute "value" associated with an element type "null" must not contain the '<' character.
org.xml.sax.SAXParseException: The value of attribute "value" associated with an element type "null" must not contain the '<' character.

SEVERE: Parse Fatal Error at line 711 column 42: The entity name must immediately follow the '&' in the entity reference.
org.xml.sax.SAXParseException: The entity name must immediately follow the '&' in the entity reference.

2. Using the exact same method DOMUtils.escapeAnsi() to do the escape as in <ice:outputText>, with exactly the same escaped output string in the renderer, the characters will still show up as entities on the web page. See screenshot-01.png. Maybe the the browser just doesn't translate the entities in a label tag?

Show

yip.ng added a comment - 03/Jan/13 1:13 AM - edited Two problems: 1. Even with <ice:outputText>, the use of the "<" and "&" characters will generate SAXParseException. You must use the entities "<" and "&". (This rather defeats the usefulness of the escape attribute?) The ">" character is OK. SEVERE: Parse Fatal Error at line 711 column 41: The value of attribute "value" associated with an element type "null" must not contain the '<' character. org.xml.sax.SAXParseException: The value of attribute "value" associated with an element type "null" must not contain the '<' character. SEVERE: Parse Fatal Error at line 711 column 42: The entity name must immediately follow the '&' in the entity reference. org.xml.sax.SAXParseException: The entity name must immediately follow the '&' in the entity reference. 2. Using the exact same method DOMUtils.escapeAnsi() to do the escape as in <ice:outputText>, with exactly the same escaped output string in the renderer, the characters will still show up as entities on the web page. See screenshot-01.png. Maybe the the browser just doesn't translate the entities in a label tag?

Repository	Revision	Date	User	Message
ICEsoft Public SVN Repository	#32946	Thu Jan 03 15:44:22 MST 2013	yip.ng	~~ICE-8806~~: ice:outputLabel - Add an escape attribute.
				Files Changed
				MODIFY /icefaces/trunk/icefaces/core/src/com/icesoft/faces/renderkit/dom_html_basic/LabelRenderer.java MODIFY /icefaces/trunk/icefaces/component-metadata/src/main/resources/conf/ice_properties/ice-outputLabel-props.xml

Hide

Permalink

yip.ng added a comment - 03/Jan/13 8:16 PM

More puzzling findings:

1. Even with escape="false", <ice:outputText> still displays the characters properly. So what's the point of the escape?

2. Created a minimal HTML page to display entities in <label> tag, and it works properly. So what's different in our rendering that causes it not to work?

Show

yip.ng added a comment - 03/Jan/13 8:16 PM More puzzling findings: 1. Even with escape="false", <ice:outputText> still displays the characters properly. So what's the point of the escape? 2. Created a minimal HTML page to display entities in <label> tag, and it works properly. So what's different in our rendering that causes it not to work?

Hide

Permalink

yip.ng added a comment - 03/Jan/13 11:02 PM - edited

Label value was already always escaped inside createTextNode(). So why does the JIRA description say "ice:outputLabel no longer escapes the value"? When I added escapeAnsi() in the renderer, it caused a double escape.

Attribute added, and logic changed to avoid double escape.

Confusions:

When value is hardcoded, it goes through SAX parser, and the parser throws exceptions on certain characters. So user still has to escape themselves. In this case the parser will convert back to original characters before the renderer sees them.

When value is in messages file, characters don't go through parser.

Some characters will display properly whether you escape them or not.

Revision: 32946

Modified : /icefaces/trunk/icefaces/component-metadata/src/main/resources/conf/ice_properties/ice-outputLabel-props.xml
Modified : /icefaces/trunk/icefaces/core/src/com/icesoft/faces/renderkit/dom_html_basic/LabelRenderer.java

Show

yip.ng added a comment - 03/Jan/13 11:02 PM - edited Label value was already always escaped inside createTextNode(). So why does the JIRA description say "ice:outputLabel no longer escapes the value"? When I added escapeAnsi() in the renderer, it caused a double escape. Attribute added, and logic changed to avoid double escape. Confusions: When value is hardcoded, it goes through SAX parser, and the parser throws exceptions on certain characters. So user still has to escape themselves. In this case the parser will convert back to original characters before the renderer sees them. When value is in messages file, characters don't go through parser. Some characters will display properly whether you escape them or not. Revision: 32946 Modified : /icefaces/trunk/icefaces/component-metadata/src/main/resources/conf/ice_properties/ice-outputLabel-props.xml Modified : /icefaces/trunk/icefaces/core/src/com/icesoft/faces/renderkit/dom_html_basic/LabelRenderer.java

yip.ng made changes - 03/Jan/13 11:02 PM

Status	Open [ 1 ]	Resolved [ 5 ]
Resolution		Fixed [ 1 ]

Hide

Permalink

Cruz Miraback added a comment - 20/Feb/13 11:19 PM

Confirmed using ICEfaces 1.8.2.GA_P06 build 1 in Firefox19, Chrome24, IE6/7/9.

Show

Cruz Miraback added a comment - 20/Feb/13 11:19 PM Confirmed using ICEfaces 1.8.2.GA_P06 build 1 in Firefox19, Chrome24, IE6/7/9.

Ken Fyten made changes - 21/Feb/13 8:46 PM

Component/s		Components [ 10012 ]
Component/s	ACE-Components [ 10050 ]

Ken Fyten made changes - 14/Nov/14 5:42 PM

Status

Resolved [ 5 ]

Closed [ 6 ]

People

Assignee:

yip.ng

Reporter:

Arran Mccullough

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

05/Dec/12 10:03 PM

Updated:

14/Nov/14 5:42 PM

Resolved:

03/Jan/13 11:02 PM