Growl not escaping messages

UI Components for JSF
Post Reply
yapfa
Posts: 22
Joined: 18 Oct 2011, 11:49

24 Nov 2011, 12:52

Like some other threads already state, growl does not escape its messages. Thus \n newlines and such cause it to fail.
It also fails with any HTML-like input (danger of XSS as well, just test in showcase ;) ).

I don't know whether this is "intended" behaviour? At least an escape attribute (like in h:outputText etc.) would be nice.
There is already Issue 2711 in the bugtracker. How and when will this be solved?
Top
cagatay.civici
Prime
Posts: 18616
Joined: 05 Jan 2009, 00:21
Location: Cybertron
Contact:
Contact cagatay.civici

24 Nov 2011, 14:06

I'll fix it after lunch :)
Top
cagatay.civici
Prime
Posts: 18616
Joined: 05 Jan 2009, 00:21
Location: Cybertron
Contact:
Contact cagatay.civici

24 Nov 2011, 15:34

Done!
Top
yapfa
Posts: 22
Joined: 18 Oct 2011, 11:49

24 Nov 2011, 16:01

Wow, that was fast :)
I've only looked at your code changes in r6012 and they look as if HTML-like content in message title/summary (e.g. "<b>bold</b>") will still slip through (i.e. not getting escaped).

Couldn't this cause problems if a growl message accidentally (by chance, breaking page validation) or intentionally (due to some XSS attack) contains HTML-like fragments?
Top
cagatay.civici
Prime
Posts: 18616
Joined: 05 Jan 2009, 00:21
Location: Cybertron
Contact:
Contact cagatay.civici

24 Nov 2011, 17:00

I see, I thought you mentioned escaping special characters like double quotes as growl uses json like syntax. I've also added html character escaping as well now.
Top
Post Reply

Return to “PrimeFaces”

  • Information

  • Who is online

    Users browsing this forum: No registered users and 21 guests