DELTASPIKE-1307 sanitise windowId against JavaScript injection
Project: http://git-wip-us.apache.org/repos/asf/deltaspike/repo Commit: http://git-wip-us.apache.org/repos/asf/deltaspike/commit/72e607f3 Tree: http://git-wip-us.apache.org/repos/asf/deltaspike/tree/72e607f3 Diff: http://git-wip-us.apache.org/repos/asf/deltaspike/diff/72e607f3 Branch: refs/heads/master Commit: 72e607f3be66c30c72b32c24b44e9deaa8e54608 Parents: 11b40fe Author: Mark Struberg <strub...@apache.org> Authored: Thu Dec 21 12:50:00 2017 +0100 Committer: Mark Struberg <strub...@apache.org> Committed: Thu Dec 21 12:50:00 2017 +0100 ---------------------------------------------------------------------- .../strategy/AbstractClientWindowStrategy.java | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/deltaspike/blob/72e607f3/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java ---------------------------------------------------------------------- diff --git a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java index 4078e45..f98bdc7 100644 --- a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java +++ b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java @@ -25,7 +25,6 @@ import javax.annotation.PostConstruct; import javax.faces.context.FacesContext; import javax.inject.Inject; import javax.servlet.http.HttpServletRequest; -import org.apache.deltaspike.core.spi.scope.window.WindowContext; import org.apache.deltaspike.jsf.api.config.JsfModuleConfig; import org.apache.deltaspike.jsf.impl.util.ClientWindowHelper; import org.apache.deltaspike.jsf.spi.scope.window.ClientWindow; @@ -52,9 +51,6 @@ public abstract class AbstractClientWindowStrategy implements ClientWindow @Inject protected JsfModuleConfig jsfModuleConfig; - @Inject - protected WindowContext windowContext; - private int maxWindowIdCount = 10; @PostConstruct @@ -77,8 +73,11 @@ public abstract class AbstractClientWindowStrategy implements ClientWindow windowId = getOrCreateWindowId(facesContext); + if (windowId != null) { + windowId = sanitiseWindowId(windowId); + // don't cut the windowId generated from JSF ClientWindowConfig.ClientWindowRenderMode clientWindowRenderMode = clientWindowConfig.getClientWindowRenderMode(facesContext); @@ -96,6 +95,17 @@ public abstract class AbstractClientWindowStrategy implements ClientWindow return windowId; } + + /** + * We have to escape some characters to make sure we do not open + * any XSS vectors. E.g. replace () etc to + * prevent attackers from injecting JavaScript function calls. + */ + protected String sanitiseWindowId(String windowId) + { + return windowId.replace('(', '_'); + } + protected abstract String getOrCreateWindowId(FacesContext facesContext); protected String generateNewWindowId()