This is an automated email from the ASF dual-hosted git repository.
cbeikov pushed a commit to branch deltaspike-1.8.x
in repository https://gitbox.apache.org/repos/asf/deltaspike.git
The following commit(s) were added to refs/heads/deltaspike-1.8.x by this push:
new 10a9105 DELTASPIKE-1401 - Fix multiple XSS issues in
ClientSideWindowStrategy
10a9105 is described below
commit 10a9105d7a734a2a64dc0f3b8a2862eaf3fe5f61
Author: Christian Beikov <[email protected]>
AuthorDate: Thu Jan 16 13:52:41 2020 +0100
DELTASPIKE-1401 - Fix multiple XSS issues in ClientSideWindowStrategy
---
deltaspike/modules/jsf/impl-ee6/pom.xml | 5 +++++
deltaspike/modules/jsf/impl/pom.xml | 5 +++++
.../jsf/impl/scope/window/strategy/ClientSideWindowStrategy.java | 8 +++++---
deltaspike/parent/pom.xml | 7 +++++++
4 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/deltaspike/modules/jsf/impl-ee6/pom.xml
b/deltaspike/modules/jsf/impl-ee6/pom.xml
index d001c81..cce0f50 100644
--- a/deltaspike/modules/jsf/impl-ee6/pom.xml
+++ b/deltaspike/modules/jsf/impl-ee6/pom.xml
@@ -138,6 +138,11 @@
</dependency>
<dependency>
+ <groupId>org.owasp.encoder</groupId>
+ <artifactId>encoder</artifactId>
+ </dependency>
+
+ <dependency>
<groupId>org.apache.geronimo.specs</groupId>
<artifactId>geronimo-el_2.2_spec</artifactId>
<version>1.0</version>
diff --git a/deltaspike/modules/jsf/impl/pom.xml
b/deltaspike/modules/jsf/impl/pom.xml
index bf961cf..a050ad8 100644
--- a/deltaspike/modules/jsf/impl/pom.xml
+++ b/deltaspike/modules/jsf/impl/pom.xml
@@ -120,6 +120,11 @@
</dependency>
<dependency>
+ <groupId>org.owasp.encoder</groupId>
+ <artifactId>encoder</artifactId>
+ </dependency>
+
+ <dependency>
<groupId>org.apache.geronimo.specs</groupId>
<artifactId>geronimo-el_2.2_spec</artifactId>
<version>1.0</version>
diff --git
a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/ClientSideWindowStrategy.java
b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/ClientSideWindowStrategy.java
index 572da07..a18010c 100644
---
a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/ClientSideWindowStrategy.java
+++
b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/ClientSideWindowStrategy.java
@@ -118,15 +118,17 @@ public class ClientSideWindowStrategy extends
AbstractClientWindowStrategy
// set the windowId value in the javascript code
windowHandlerHtml =
windowHandlerHtml.replace(WINDOW_ID_REPLACE_PATTERN,
- windowId);
+
org.owasp.encoder.Encode.forJavaScriptBlock(windowId));
// set the current request url
// on the client we can't use window.location as the location
// could be a different when using forwards
windowHandlerHtml =
windowHandlerHtml.replace(REQUEST_URL_REPLACE_PATTERN,
- ClientWindowHelper.constructRequestUrl(externalContext));
+
org.owasp.encoder.Encode.forJavaScriptBlock(
+
ClientWindowHelper.constructRequestUrl(externalContext)));
// set the noscript-URL for users with no JavaScript
windowHandlerHtml =
- windowHandlerHtml.replace(NOSCRIPT_URL_REPLACE_PATTERN,
getNoscriptUrl(externalContext));
+ windowHandlerHtml.replace(NOSCRIPT_URL_REPLACE_PATTERN,
+
org.owasp.encoder.Encode.forHtmlAttribute(getNoscriptUrl(externalContext)));
OutputStream os = httpResponse.getOutputStream();
try
diff --git a/deltaspike/parent/pom.xml b/deltaspike/parent/pom.xml
index 6ff8325..969360b 100644
--- a/deltaspike/parent/pom.xml
+++ b/deltaspike/parent/pom.xml
@@ -715,6 +715,13 @@
<scope>provided</scope>
</dependency>
+ <!-- dependency for DELTASPIKE-1401 -->
+ <dependency>
+ <groupId>org.owasp.encoder</groupId>
+ <artifactId>encoder</artifactId>
+ <version>1.2.2</version>
+ </dependency>
+
<!-- TomEE dependencies -->
<dependency>
<groupId>org.apache.openejb</groupId>
