javaserverfaces
  1. javaserverfaces
  2. JAVASERVERFACES-3168

also prevent absolute contract reference like "/contracts/base/template.xhtml" for h:graphicImage, h:outputStylesheet and h:outputScript

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.5
    • Fix Version/s: 2.2.6
    • Component/s: resources
    • Labels:
      None

      Description

      The same prevention to not allow absolute contracts references like "/contracts_dir/contract_name/resource.name" must be implemented for:

      • h:graphicImage src="resource ref" and name="resource ref" attributes
      • h:outputStylesheet name="resource ref"
      • h:outputScript name="resource ref"

        Issue Links

          Activity

          Hide
          Manfred Riem added a comment -

          Applied to 2.2 branch,

          svn commit -m "Fixes https://java.net/jira/browse/JAVASERVERFACES-3168, disallow direct contract mapping references for h:graphicImage, h:outputStylesheet and h:outputScript."
          Sending jsf-ri/src/main/java/com/sun/faces/renderkit/RenderKitUtils.java
          Sending jsf-ri/src/main/java/com/sun/faces/renderkit/html_basic/ScriptRenderer.java
          Sending jsf-ri/src/main/java/com/sun/faces/renderkit/html_basic/StylesheetRenderer.java
          Adding test/agnostic/facelets/html/src/main/webapp/graphicImageDirectContract.xhtml
          Adding test/agnostic/facelets/html/src/main/webapp/graphicImageDirectContract2.xhtml
          Adding test/agnostic/facelets/html/src/main/webapp/outputScriptDirectContract.xhtml
          Adding test/agnostic/facelets/html/src/main/webapp/outputStylesheetDirectContract.xhtml
          Adding test/agnostic/facelets/html/src/test/java/com/sun/faces/test/agnostic/facelets/html/Issue3168IT.java
          Transmitting file data ........
          Committed revision 12837.

          Show
          Manfred Riem added a comment - Applied to 2.2 branch, svn commit -m "Fixes https://java.net/jira/browse/JAVASERVERFACES-3168 , disallow direct contract mapping references for h:graphicImage, h:outputStylesheet and h:outputScript." Sending jsf-ri/src/main/java/com/sun/faces/renderkit/RenderKitUtils.java Sending jsf-ri/src/main/java/com/sun/faces/renderkit/html_basic/ScriptRenderer.java Sending jsf-ri/src/main/java/com/sun/faces/renderkit/html_basic/StylesheetRenderer.java Adding test/agnostic/facelets/html/src/main/webapp/graphicImageDirectContract.xhtml Adding test/agnostic/facelets/html/src/main/webapp/graphicImageDirectContract2.xhtml Adding test/agnostic/facelets/html/src/main/webapp/outputScriptDirectContract.xhtml Adding test/agnostic/facelets/html/src/main/webapp/outputStylesheetDirectContract.xhtml Adding test/agnostic/facelets/html/src/test/java/com/sun/faces/test/agnostic/facelets/html/Issue3168IT.java Transmitting file data ........ Committed revision 12837.

            People

            • Assignee:
              Manfred Riem
              Reporter:
              Hanspeter Duennenberger
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: