After converting a <h:dataTable/> to a PrimeFaces <p:dataTable>, I was surprised to discover that some of the data coming from the client, which is XML-like text, is not being escaped (or is being escaped then unescaped) and is being sent to the browser in raw form, tags intact and unescaped.
Some quick checks show that the issue is with the the dynamic AJAX updates. Fully client-side tables render correctly and safely. Needless to say, interpreting client-supplied text data as markup is extremely unsafe, and will create bugs at best and gaping security holes at worst.
I'll post a self-contained test case if you need one, but this is pretty trivial to reproduce. Use a p:dataTable with dynamic=true to display some String values that contain text like:
"<b>SomeText</b> someOtherText"
You'll find that you see bold text (etc), even if your column explicitly requests escaped, safe output:
<h:outputText escape="true" value="#{item}"/>
If you set dynamic=false, the raw text is displayed (as it should be) instead of interpreted as markup.
There's a related thread here: http://primefaces.prime.com.tr/forum/vi ... f=3&t=3152 but it's not clear that dataTable has been identifed as affected, and it's not clear that this has been identified as a security issue either.
SECURITY: dynamic=true defeats outputText escaping
-
- Prime
- Posts: 18616
- Joined: 05 Jan 2009, 00:21
- Location: Cybertron
- Contact:
Can you try with 2.2.M1-SNAPSHOT?
Any plans to issue an advisory for this or offer a fix? Or document it as a defect?
This issue will result in a trivial to exploit XSS scripting hole in any app that doesn't do an extra layer of escaping, especially apps that switch from h:dataTable to p:dataTable without being aware of the different escaping rules.
This issue will result in a trivial to exploit XSS scripting hole in any app that doesn't do an extra layer of escaping, especially apps that switch from h:dataTable to p:dataTable without being aware of the different escaping rules.
-
- Posts: 38
- Joined: 06 Oct 2010, 05:29
I don't see an escape attribute documented in the primefaces manual.
Does JSF have HTML escape support?
If not, what's the best way to implement it? In PhaseListener? By introducing new text components? Custom converter? Model validation?
Does JSF have HTML escape support?
If not, what's the best way to implement it? In PhaseListener? By introducing new text components? Custom converter? Model validation?
-
- Information
-
Who is online
Users browsing this forum: No registered users and 33 guests