[JAVASERVERFACES-2747] XSS hole: GenericObjectSelectItem incorrectly defaults to itemLabelEscaped="false" Created: 22/Feb/13  Updated: 30/Aug/13  Resolved: 30/Aug/13

Status: Closed
Project: javaserverfaces
Component/s: None
Affects Version/s: 2.1.19
Fix Version/s: None

Type: Bug Priority: Major
Reporter: balusc Assignee: Manfred Riem
Resolution: Won't Fix Votes: 3
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Dependency
depends on JAVASERVERFACES_SPEC_PUBLIC-1167 <f:selectItems> itemLabelEscaped: if ... Closed

 Description   

GenericObjectSelectItem defaults to itemLabelEscaped="false" which opens a possible unforeseen XSS hole. Escaping should always default to "true" and disabling it should only explicitly be done. All other JSF components do that correctly.

Inside updateItem() method of GenericObjectSelectItem, the "false" in following block

setEscape(((itemEscapedResult != null)
    ? Boolean.valueOf(itemEscapedResult.toString())
    : false));

should have been "true"

setEscape(((itemEscapedResult != null)
    ? Boolean.valueOf(itemEscapedResult.toString())
    : true));


 Comments   
Comment by rogerk [ 27/Feb/13 ]

I'll have to see what the spec says about this too.

Comment by Manfred Riem [ 30/Aug/13 ]

This required a change of the spec and as such was fixed in 2.2 and won't be back ported to 2.1.

Generated at Sun May 24 13:18:20 UTC 2015 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.