Repository: deltaspike Updated Branches: refs/heads/master f271b6ac7 -> d95abe8c0
DELTASPIKE-1307 improve sanitise windowId Also guard against html injection Project: http://git-wip-us.apache.org/repos/asf/deltaspike/repo Commit: http://git-wip-us.apache.org/repos/asf/deltaspike/commit/d95abe8c Tree: http://git-wip-us.apache.org/repos/asf/deltaspike/tree/d95abe8c Diff: http://git-wip-us.apache.org/repos/asf/deltaspike/diff/d95abe8c Branch: refs/heads/master Commit: d95abe8c01d256da2ce0a5a88f4593138156a4e5 Parents: f271b6a Author: Mark Struberg <[email protected]> Authored: Sat Dec 30 10:55:20 2017 +0100 Committer: Mark Struberg <[email protected]> Committed: Sat Dec 30 10:55:20 2017 +0100 ---------------------------------------------------------------------- .../scope/window/strategy/AbstractClientWindowStrategy.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/deltaspike/blob/d95abe8c/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java ---------------------------------------------------------------------- diff --git a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java index f98bdc7..dc621c1 100644 --- a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java +++ b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java @@ -98,12 +98,12 @@ public abstract class AbstractClientWindowStrategy implements ClientWindow /** * We have to escape some characters to make sure we do not open - * any XSS vectors. E.g. replace () etc to - * prevent attackers from injecting JavaScript function calls. + * any XSS vectors. E.g. replace (,<, & etc to + * prevent attackers from injecting JavaScript function calls or html. */ protected String sanitiseWindowId(String windowId) { - return windowId.replace('(', '_'); + return windowId.replace('(', '_').replace('<', '_').replace('&', '_'); } protected abstract String getOrCreateWindowId(FacesContext facesContext);
