[JAVASERVERFACES-2747] XSS hole: GenericObjectSelectItem incorrectly defaults to itemLabelEscaped="false" Created: 22/Feb/13  Updated: 30/Aug/13  Resolved: 30/Aug/13

Status: Closed
Project: javaserverfaces
Component/s: None
Affects Version/s: 2.1.19
Fix Version/s: None

Type: Bug Priority: Major
Reporter: balusc Assignee: Manfred Riem
Resolution: Won't Fix Votes: 3
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
depends on JAVASERVERFACES_SPEC_PUBLIC-1167 <f:selectItems> itemLabelEscaped: if ... Closed


GenericObjectSelectItem defaults to itemLabelEscaped="false" which opens a possible unforeseen XSS hole. Escaping should always default to "true" and disabling it should only explicitly be done. All other JSF components do that correctly.

Inside updateItem() method of GenericObjectSelectItem, the "false" in following block

setEscape(((itemEscapedResult != null)
    ? Boolean.valueOf(itemEscapedResult.toString())
    : false));

should have been "true"

setEscape(((itemEscapedResult != null)
    ? Boolean.valueOf(itemEscapedResult.toString())
    : true));

Comment by rogerk [ 27/Feb/13 ]

I'll have to see what the spec says about this too.

Comment by Manfred Riem [ 30/Aug/13 ]

This required a change of the spec and as such was fixed in 2.2 and won't be back ported to 2.1.

Generated at Sat Dec 03 11:26:37 UTC 2016 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.