This is an automated email from the ASF dual-hosted git repository. ilgrosso pushed a commit to branch 4_0_X in repository https://gitbox.apache.org/repos/asf/syncope.git
commit fed74c132e940b52936468658145e5eda149878c Author: Francesco Chicchiriccò <[email protected]> AuthorDate: Fri Jan 16 10:00:54 2026 +0100 Enduser: ensure to sanitize notification message --- client/idrepo/common-ui/pom.xml | 7 ++++++- .../org/apache/syncope/client/ui/commons/BaseLogin.java | 3 ++- .../client/ui/commons/StyledNotificationBehavior.java | 14 +++++++++++--- 3 files changed, 19 insertions(+), 5 deletions(-) diff --git a/client/idrepo/common-ui/pom.xml b/client/idrepo/common-ui/pom.xml index 3123cf3fea..c607099922 100644 --- a/client/idrepo/common-ui/pom.xml +++ b/client/idrepo/common-ui/pom.xml @@ -113,7 +113,12 @@ under the License. <groupId>org.apache.pdfbox</groupId> <artifactId>pdfbox</artifactId> </dependency> - + + <dependency> + <groupId>org.apache.commons</groupId> + <artifactId>commons-text</artifactId> + </dependency> + <dependency> <groupId>org.apache.syncope.common.keymaster</groupId> <artifactId>syncope-common-keymaster-client-api</artifactId> diff --git a/client/idrepo/common-ui/src/main/java/org/apache/syncope/client/ui/commons/BaseLogin.java b/client/idrepo/common-ui/src/main/java/org/apache/syncope/client/ui/commons/BaseLogin.java index 74aab1280d..1d1324250d 100644 --- a/client/idrepo/common-ui/src/main/java/org/apache/syncope/client/ui/commons/BaseLogin.java +++ b/client/idrepo/common-ui/src/main/java/org/apache/syncope/client/ui/commons/BaseLogin.java @@ -25,6 +25,7 @@ import java.util.Collection; import java.util.List; import java.util.Locale; import org.apache.commons.lang3.StringUtils; +import org.apache.commons.text.StringEscapeUtils; import org.apache.syncope.client.ui.commons.panels.BaseSSOLoginFormPanel; import org.apache.syncope.client.ui.commons.panels.NotificationPanel; import org.apache.syncope.common.keymaster.client.api.DomainOps; @@ -198,7 +199,7 @@ public abstract class BaseLogin extends WebPage { if (StringUtils.isNotBlank(notificationMessage)) { response.render(OnLoadHeaderItem.forScript(StyledNotificationBehavior.jQueryShow( - notificationMessage, + StringEscapeUtils.escapeEcmaScript(notificationMessage), String.format("jQuery('#%s').data('kendoNotification')", notificationPanel.getNotificationMarkupId()), notificationLevel))); diff --git a/client/idrepo/common-ui/src/main/java/org/apache/syncope/client/ui/commons/StyledNotificationBehavior.java b/client/idrepo/common-ui/src/main/java/org/apache/syncope/client/ui/commons/StyledNotificationBehavior.java index 2faf75f932..614acb86ce 100644 --- a/client/idrepo/common-ui/src/main/java/org/apache/syncope/client/ui/commons/StyledNotificationBehavior.java +++ b/client/idrepo/common-ui/src/main/java/org/apache/syncope/client/ui/commons/StyledNotificationBehavior.java @@ -39,17 +39,25 @@ public class StyledNotificationBehavior extends NotificationBehavior { @Override public void show(final IPartialPageRequestHandler handler, final Serializable message, final String level) { if (handler != null) { - handler.appendJavaScript(jQueryShow(this.format(String.valueOf(message), level), this.widget(), level)); + handler.appendJavaScript(jQueryShow(format(String.valueOf(message), level), widget(), level)); } } public static String jQueryShow(final CharSequence message, final String widget, final String level) { + String actual = Notification.INFO.equalsIgnoreCase(level) + ? Notification.INFO + : Notification.SUCCESS.equalsIgnoreCase(level) + ? Notification.SUCCESS + : Notification.ERROR.equalsIgnoreCase(level) + ? Notification.ERROR + : Notification.WARNING; + return String.format("%s.options.autoHideAfter = %s; %s.show( { message: '%s' } , '%s');", widget, - Notification.SUCCESS.equalsIgnoreCase(level) || Notification.INFO.equalsIgnoreCase(level) + Notification.SUCCESS.equals(actual) || Notification.INFO.equals(actual) ? AUTOHIDEAFTER_GOOD : AUTOHIDEAFTER_BAD, widget, message, - level.toLowerCase()); + actual); } }
