javaserverfaces
  1. javaserverfaces
  2. JAVASERVERFACES-2747

XSS hole: GenericObjectSelectItem incorrectly defaults to itemLabelEscaped="false"

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Won't Fix
    • Affects Version/s: 2.1.19
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      GenericObjectSelectItem defaults to itemLabelEscaped="false" which opens a possible unforeseen XSS hole. Escaping should always default to "true" and disabling it should only explicitly be done. All other JSF components do that correctly.

      Inside updateItem() method of GenericObjectSelectItem, the "false" in following block

      setEscape(((itemEscapedResult != null)
          ? Boolean.valueOf(itemEscapedResult.toString())
          : false));
      

      should have been "true"

      setEscape(((itemEscapedResult != null)
          ? Boolean.valueOf(itemEscapedResult.toString())
          : true));
      

        Issue Links

          Activity

            People

            • Assignee:
              Manfred Riem
              Reporter:
              balusc
            • Votes:
              3 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: