Details

      Description

      I found that<h:outputText /> was not escaping its value.
      After some WTFs and debugging it I found that it only happens when
      there is a <script> block above. But its not just outputText, also
      the raw EL is affected. In the following snippet, cases 4,5,6 are not
      escaped:

      <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>

      <html xmlns="http://www.w3.org/1999/xhtml";
      xmlns:ui="http://java.sun.com/jsf/facelets";
      xmlns:f="http://java.sun.com/jsf/core";
      xmlns:h="http://java.sun.com/jsf/html";>

      <h:outputText name="id" id="id" value="#

      {param['id']}"></h:outputText>
      <!-- Case 2-->
      <h:inputHidden name="id" id="id"
      value="#{param['id']}

      "></h:inputHidden>
      <!-- Case 3 -->
      <input type="hidden" name="id" id="id" value="#

      {param['id']}"/>
      #{param['id']}

      <script>
      // case 4
      var paramId = #

      {param['id2']}

      ;
      // case 5
      var paramIdd = "<h:outputText value="#

      {param['id3']}

      " />";
      </script>
      <!-- Case 6 -->
      #

      {param['id4']}

      </html>

      I searched the web and found
      https://java.net/jira/browse/JAVASERVERFACES-2503 saying it was a bug
      in 2.1.12, but I tried 2.1.13 and 2.2.5 and Im still getting this
      behaviour.

      My relevant parts of the pom:
      <dependency>
      <groupId>com.sun.faces</groupId>
      <artifactId>jsf-api</artifactId>
      <version>2.2.5</version>
      </dependency>
      <dependency>
      <groupId>com.sun.faces</groupId>
      <artifactId>jsf-impl</artifactId>
      <version>2.2.5</version>
      </dependency>

      Am I missing something? This is quite serious for developers thinking their data is escaped and XSS free!

        Issue Links

          Activity

          Show
          Ed Burns added a comment - Safe to close when < http://slc03qna.us.oracle.com:7070/hudson/view/Mojarra%202.1.x/job/2_1_x-gf-3_1_2_2-no-cluster/255/ >, < http://slc03qna.us.oracle.com:7070/hudson/view/Mojarra%202.1.x/job/2_1_x-tck/43/ >, and < http://hudson-sca.us.oracle.com/view/MOJARRA_ALL/job/MOJARRA_2_1X_ROLLING_DEPLOY/176/ > are all clean.
          Hide
          Ed Burns added a comment -

          Test failure on backport.

          com.sun.faces.test.agnostic.ajax.Issue2443IT.testQuotesInScript
          Failing for the past 1 build (Since Unstable#457 )
          Took 13 ms.
          add description
          Error Message

          unterminated string literal (script in http://localhost:8080/test-agnostic-ajax/faces/scriptQuote.xhtml from (46, 9) to (49, 10)#48)

          Stacktrace

          com.gargoylesoftware.htmlunit.ScriptException: unterminated string literal (script in http://localhost:8080/test-agnostic-ajax/faces/scriptQuote.xhtml from (46, 9) to (49, 10)#48)
          at com.gargoylesoftware.htmlunit.javascript.StrictErrorReporter.error(StrictErrorReporter.java:64)
          at net.sourceforge.htmlunit.corejs.javascript.Parser.addError(Parser.java:187)
          at net.sourceforge.htmlunit.corejs.javascript.Parser.addError(Parser.java:167)
          at net.sourceforge.htmlunit.corejs.javascript.Parser.addError(Parser.java:163)

          Reverting.

          Show
          Ed Burns added a comment - Test failure on backport. com.sun.faces.test.agnostic.ajax.Issue2443IT.testQuotesInScript Failing for the past 1 build (Since Unstable#457 ) Took 13 ms. add description Error Message unterminated string literal (script in http://localhost:8080/test-agnostic-ajax/faces/scriptQuote.xhtml from (46, 9) to (49, 10)#48) Stacktrace com.gargoylesoftware.htmlunit.ScriptException: unterminated string literal (script in http://localhost:8080/test-agnostic-ajax/faces/scriptQuote.xhtml from (46, 9) to (49, 10)#48) at com.gargoylesoftware.htmlunit.javascript.StrictErrorReporter.error(StrictErrorReporter.java:64) at net.sourceforge.htmlunit.corejs.javascript.Parser.addError(Parser.java:187) at net.sourceforge.htmlunit.corejs.javascript.Parser.addError(Parser.java:167) at net.sourceforge.htmlunit.corejs.javascript.Parser.addError(Parser.java:163) Reverting.
          Hide
          Ed Burns added a comment -

          Reopen to successfully complete requested backport.

          Please note that we recommend upgrading to 2.2.x because not every issue can be backported to 2.1.x. This is for technical and non-technical reasons.

          Please upgrade as soon as possible.

          Show
          Ed Burns added a comment - Reopen to successfully complete requested backport. Please note that we recommend upgrading to 2.2.x because not every issue can be backported to 2.1.x. This is for technical and non-technical reasons. Please upgrade as soon as possible.
          Hide
          Ed Burns added a comment -

          Moved backport to task JAVASERVERFACES-3161.

          Show
          Ed Burns added a comment - Moved backport to task JAVASERVERFACES-3161 .
          Hide
          Ed Burns added a comment -

          M test/agnostic/facelets/processing/pom.xml

          • Turn on processing01 module.
            Sending test/agnostic/facelets/processing/pom.xml
            Transmitting file data .
            Committed revision 12877.
          Show
          Ed Burns added a comment - M test/agnostic/facelets/processing/pom.xml Turn on processing01 module. Sending test/agnostic/facelets/processing/pom.xml Transmitting file data . Committed revision 12877.

            People

            • Assignee:
              Ed Burns
              Reporter:
              alvaroms
            • Votes:
              1 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour, 59 minutes
                1h 59m