Cross Site Scripting XSS possible in pe:tooltip

tdevos · 30 Jun 2015, 12:15

Hi all,

We use pe:tooltip instead of p:tooltip. However looking at the source code the rendering is totally different. Where the primefaces TooltipRenderer class uses escape:

Code: Select all

if(tooltip.isEscape())
                        writer.writeText(valueToRender, "value");
                    else
                        writer.write(valueToRender);

The TooltipRenderer of Primefaces Extensions uses

Code: Select all

String valueToRender = ComponentUtils.getValueToRender(context, tooltip);
   if (valueToRender != null) {
	writer.write(escapeText(valueToRender));
}

However, escape only escapes for Javascript. So if the value contains for example "<script>alert('123')</script>" an alert dialog is displayed. I could change my tooltip to the Primefaces version but the one of Primefaces extensions is much more powerful

03 Jul 2015, 08:37

By the way how you able to inject Script for tooltip value.Can you replicate on showcase example

tdevos · 03 Jul 2015, 09:16

Hi,

Thanks for your reply.

Code: Select all

 <h:outputText id="subject" value="#{myBean.subject}" />
   <pe:tooltip showDelay="100" mouseTracking="true" for="subject">
          <h:outputText value="#{myBean.subject}" />
   </pe:tooltip>

If you let return myBean.subject the value

Code: Select all

<script>alert('123')</script>

Then you'll see a Javascript dialog popping up when the tooltip is displayed.

If you change pe:tooltip to the primefaces version p:tooltip then the Javascript dialog is not displayed an the text "<script>alert('123')</script>" appears on the screen as it should be.

Oleg · 03 Jul 2015, 12:22

You can create an issue in our issue tracker or better fix it self and provide a pull request. I don't need personally pe:tooltip.

I could change my tooltip to the Primefaces version but the one of Primefaces extensions is much more powerful

Thanks. But to be honest I plan to remove the pe:tooltip. Nowadays there are so much cool CSS and/or JS based implementations. I don't see any needs in tooltips as JSF component. I suggest to use a browser native tooltip with the "title" attribute.

tdevos · 03 Jul 2015, 13:00

Hi Oleg,

Thanks for the reply. We are using pe:tooltip because we have some HTML tables in there and this is not possible in using the title attribute. So I'd love to see pe:tooltip stay

Using a JS or CSS library is of course possible but that is an argument for any Primefaces component...

Anyway, thanks for your help and I'll create a pull request soon!

Oleg · 06 Jul 2015, 14:50

tdevos wrote: Anyway, thanks for your help and I'll create a pull request soon!

Please try to fix it by yourself und provide a pull request. Any pull requests are appreciated. I don't think someboby else will fix this issue.

kukeltje · 07 Jul 2015, 17:37

Using a JS or CSS library is of course possible but that is an argument for any Primefaces component...

Not really. The more complex a component is, the less this is true. Tooltip: yes, DataTable: no

Cross Site Scripting XSS possible in pe:tooltip

Who is online