svn commit: r992951 - in /tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src: main/resources/org/apache/tapestry5/corelib/components/datefield.js test/java/org/apache/tapestry5/integration/IntegrationTests.java

Sun, 05 Sep 2010 23:52:32 -0700 

Author: ccordenier
Date: Mon Sep  6 06:52:06 2010
New Revision: 992951

URL: http://svn.apache.org/viewvc?rev=992951&view=rev
Log:
Apply TAP5-1057 to 1.0.8 (see TAP5-1057)

Modified:
    
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js
    
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java

Modified: 
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js
URL: 
http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js?rev=992951&r1=992950&r2=992951&view=diff
==============================================================================
--- 
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js
 (original)
+++ 
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js
 Mon Sep  6 06:52:06 2010
@@ -55,7 +55,7 @@ Tapestry.DateField = Class.create({
         }
 
 
-        var value = $F(this.field);
+        var value = $F(this.field).escapeHTML();
 
         if (value == "")
         {

Modified: 
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
URL: 
http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java?rev=992951&r1=992950&r2=992951&view=diff
==============================================================================
--- 
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
 (original)
+++ 
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
 Mon Sep  6 06:52:06 2010
@@ -1267,6 +1267,19 @@ public class IntegrationTests extends Ab
 
         clickAndWait("link=english");
     }
+    
+    @Test
+    public void xss_datefield()
+    {
+        start("DateField Demo", "clear", "english");
+
+        type("asteroidImpact", "<script>alert('T5 is great'); </script>");
+
+        click("id=asteroidImpact-trigger");
+        
+        assertBubbleMessage("asteroidImpact", "Unparseable date: 
\"<script>alert('T5 is great'); </script>\"");
+
+    }
 
     /**
      * This also checks that the date type is displayed correctly by 
BeanDisplay and Grid.

Reply via email to