javaserverfaces
  1. javaserverfaces
  2. JAVASERVERFACES-2747

XSS hole: GenericObjectSelectItem incorrectly defaults to itemLabelEscaped="false"

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Won't Fix
    • Affects Version/s: 2.1.19
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      GenericObjectSelectItem defaults to itemLabelEscaped="false" which opens a possible unforeseen XSS hole. Escaping should always default to "true" and disabling it should only explicitly be done. All other JSF components do that correctly.

      Inside updateItem() method of GenericObjectSelectItem, the "false" in following block

      setEscape(((itemEscapedResult != null)
          ? Boolean.valueOf(itemEscapedResult.toString())
          : false));
      

      should have been "true"

      setEscape(((itemEscapedResult != null)
          ? Boolean.valueOf(itemEscapedResult.toString())
          : true));
      

        Issue Links

          Activity

          balusc created issue -
          Ed Burns made changes -
          Field Original Value New Value
          Link This issue depends on JAVASERVERFACES_SPEC_PUBLIC-1167 [ JAVASERVERFACES_SPEC_PUBLIC-1167 ]
          rogerk made changes -
          Assignee rogerk [ rogerk ]
          Hide
          rogerk added a comment -

          I'll have to see what the spec says about this too.

          Show
          rogerk added a comment - I'll have to see what the spec says about this too.
          rogerk made changes -
          Assignee rogerk [ rogerk ]
          Manfred Riem made changes -
          Assignee Manfred Riem [ mriem ]
          Hide
          Manfred Riem added a comment -

          This required a change of the spec and as such was fixed in 2.2 and won't be back ported to 2.1.

          Show
          Manfred Riem added a comment - This required a change of the spec and as such was fixed in 2.2 and won't be back ported to 2.1.
          Manfred Riem made changes -
          Status Open [ 1 ] Closed [ 6 ]
          Resolution Won't Fix [ 2 ]

            People

            • Assignee:
              Manfred Riem
              Reporter:
              balusc
            • Votes:
              3 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: