Missing Esacpe in <p:charts> - PF5.0.5+

UI Components for JSF
Post Reply
nerone
Posts: 27
Joined: 15 Mar 2012, 16:51

21 Aug 2014, 09:30

Hello, I've stumbled across the following issue in PF 5.0.5

Uncaught SyntaxError: Unexpected token ILLEGAL

This happens when some data in p:charts contains backslashes - They are not escaped correctly

Code: Select all

"$(function(){PrimeFaces.cw('Chart','chartFilesXXXXXXXX',{id:'A9635:j_idt3:j_idt290',type:'pie',data:[[["xxxxxxxxxxxxxxxxx)",63],["xxxxxxxxxxxxxxxxxxxxx",60],["xxxxxxxxxxxxxxx",54],["asdf-asdf-asdf-asdf (asdf\asdf\asdf\asdf)",48],["asdf-asf-fas-asdfasdf (ycyxc\yxcyxc\yxcyxc\u4_asdf...",42]
Reason for this probably:

Code: Select all

ublic class PieRenderer extends BasePlotRenderer {
    
    @Override
    protected void encodeData(FacesContext context, Chart chart) throws IOException {
		ResponseWriter writer = context.getResponseWriter();
        PieChartModel model = (PieChartModel) chart.getModel();

		writer.write(",data:[[" );
        for(Iterator<String> it = model.getData().keySet().iterator(); it.hasNext();) {
            String key = it.next();
            Number value = model.getData().get(key);

          [b][color=#FF0000]  writer.write("[\"" + key + "\"," + value + "]");[/color][/b]

            if(it.hasNext()) {
                writer.write(",");
            }
        }
        writer.write("]]");
	}
PieRenderer, DonutRenderer are both affected (maybe some others too!)

Hope this can be fixed soon =)
Thanks
Top
kukeltje
Expert Member
Posts: 9605
Joined: 17 Jun 2010, 13:34
Location: Netherlands

21 Aug 2014, 10:53

as a workaround you can escape them yourself
Top
nerone
Posts: 27
Joined: 15 Mar 2012, 16:51

27 Aug 2014, 11:48

Its not a very nice solution to escape manually, because the data might not only be used by the charts component. To make a distinction is not the best solution. Also how should one know if the data is used in JS or HTML tags

Also consider this behaviour makes the site susceptible to XSS attacks. I hope this issue could be addressed in the next release. Its only a few lines of code change - Please commit it!

I will attach the solution we have now temporarily used. But the standard jars should contain it.

The Escape code:
Copyright (c) 2005 Michael Eddington / OWASP encoding
https://www.owasp.org/index.php/OWASP_J ... er_Project

Code: Select all

	public static String JsString(String str, String def) {
		if (str == null || str.length() == 0) {
			str = (def == null ? "" : def);
		}

		int len = str.length();
		StringBuffer out = new StringBuffer((int) (len * 1.5));
		out.append('\'');

		// Allow: a-z A-Z 0-9 SPACE , .
		// Allow (dec): 97-122 65-90 48-57 32 44 46

		for (int cnt = 0; cnt < len; cnt++) {
			char c = str.charAt(cnt);
			if ((c >= 97 && c <= 122) || (c >= 65 && c <= 90) || (c >= 48 && c <= 57) || c == 32 || c == 44 || c == 46) {
				out.append(c);
			}
			else if (c <= 127) {
				out.append("\\x");

				String hex = Integer.toString(c, 16);
				if (hex.length() < 2) {
					out.append('0');
				}

				out.append(hex);
			}
			else {
				out.append("\\u");

				String hex = Integer.toString(c, 16);
				for (int i = hex.length(); i < 4; i++) {
					out.append('0');
				}

				out.append(hex);
			}
		}

		return out.append('\'').toString();
	}

Then each time the data is used for JS

Code: Select all

writer.write("[" + Encoder.JsString(key) + "," + value + "]");
The affected Classes we found: DonutRenderer , BarRenderer, LineRenderer, PieRenderer

Thanks
Top
Post Reply

Return to “PrimeFaces”

  • Information

  • Who is online

    Users browsing this forum: No registered users and 40 guests