[JAVASERVERFACES-2747] XSS hole: GenericObjectSelectItem incorrectly defaults to itemLabelEscaped="false" Created: 22/Feb/13 Updated: 30/Aug/13 Resolved: 30/Aug/13
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
GenericObjectSelectItem defaults to itemLabelEscaped="false" which opens a possible unforeseen XSS hole. Escaping should always default to "true" and disabling it should only explicitly be done. All other JSF components do that correctly.
Inside updateItem() method of GenericObjectSelectItem, the "false" in following block
should have been "true"
|Comment by rogerk [ 27/Feb/13 ]|
I'll have to see what the spec says about this too.
|Comment by Manfred Riem [ 30/Aug/13 ]|
This required a change of the spec and as such was fixed in 2.2 and won't be back ported to 2.1.