Hi
We have noticed a security related issue with <p:messages/>. It does not escape the messages, so if a message contains markup with javascript, the javascript is executed when the message is displayed. The JSF tag <h:messages/> escapes the output.
Is there any workaround to prevent this?
Regards,
Anders
p:messages is not escaping markup
-
- Prime
- Posts: 18616
- Joined: 05 Jan 2009, 00:21
- Location: Cybertron
- Contact:
You can create an issue ticket about this.
Cool, done: http://code.google.com/p/primefaces/iss ... il?id=1598
Do you have any pointers as to how this could be implemented? Is there a escape function somewhere that can be reused? We could have a go at patching primefaces ourself and attaching the code to the issue.
Regards,
Anders
Do you have any pointers as to how this could be implemented? Is there a escape function somewhere that can be reused? We could have a go at patching primefaces ourself and attaching the code to the issue.
Regards,
Anders
-
- Prime
- Posts: 18616
- Joined: 05 Jan 2009, 00:21
- Location: Cybertron
- Contact:
ResponseWriter api has writeText method as I remember, it does the escaping itself. I think we use write method instead that does not do escaping.
Seems to be working like a charm! Replaced like this in MessagesRenderer:
writer.write(summary); -> writer.writeText(summary, null);
writer.write(detail); -> writer.writeText(detail, null);
Should this be the default beaviour, or should this be parameterized?
Thanks a bunch for helping!
-Anders
writer.write(summary); -> writer.writeText(summary, null);
writer.write(detail); -> writer.writeText(detail, null);
Should this be the default beaviour, or should this be parameterized?
Thanks a bunch for helping!
-Anders
-
- Information
-
Who is online
Users browsing this forum: No registered users and 59 guests