javaserverfaces
  1. javaserverfaces
  2. JAVASERVERFACES-2747

XSS hole: GenericObjectSelectItem incorrectly defaults to itemLabelEscaped="false"

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Won't Fix
    • Affects Version/s: 2.1.19
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      GenericObjectSelectItem defaults to itemLabelEscaped="false" which opens a possible unforeseen XSS hole. Escaping should always default to "true" and disabling it should only explicitly be done. All other JSF components do that correctly.

      Inside updateItem() method of GenericObjectSelectItem, the "false" in following block

      setEscape(((itemEscapedResult != null)
          ? Boolean.valueOf(itemEscapedResult.toString())
          : false));
      

      should have been "true"

      setEscape(((itemEscapedResult != null)
          ? Boolean.valueOf(itemEscapedResult.toString())
          : true));
      

        Issue Links

          Activity

          balusc created issue -
          Ed Burns made changes -
          Field Original Value New Value
          Link This issue depends on JAVASERVERFACES_SPEC_PUBLIC-1167 [ JAVASERVERFACES_SPEC_PUBLIC-1167 ]
          rogerk made changes -
          Assignee rogerk [ rogerk ]
          rogerk made changes -
          Assignee rogerk [ rogerk ]
          Manfred Riem made changes -
          Assignee Manfred Riem [ mriem ]
          Manfred Riem made changes -
          Status Open [ 1 ] Closed [ 6 ]
          Resolution Won't Fix [ 2 ]

            People

            • Assignee:
              Manfred Riem
              Reporter:
              balusc
            • Votes:
              3 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: