From 0cdaf28d282134413910971cdeb7ed71cacdc6e3 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Leif=20=C3=85strand?= Date: Fri, 14 Nov 2014 15:27:49 +0200 Subject: [PATCH] Escape dynamic and configured theme names in the same way. (#15309) Change-Id: Ib7fd42e6017d0b78e6d5e6bd7f531f0cd6c8c0ab --- .../src/com/vaadin/server/VaadinServlet.java | 6 +-- server/src/com/vaadin/ui/UI.java | 8 +++- .../src/com/vaadin/ui/UIThemeEscaping.java | 43 +++++++++++++++++++ 3 files changed, 52 insertions(+), 5 deletions(-) create mode 100644 server/tests/src/com/vaadin/ui/UIThemeEscaping.java diff --git a/server/src/com/vaadin/server/VaadinServlet.java b/server/src/com/vaadin/server/VaadinServlet.java index 4fd1e97a40..d1242676da 100644 --- a/server/src/com/vaadin/server/VaadinServlet.java +++ b/server/src/com/vaadin/server/VaadinServlet.java @@ -573,8 +573,8 @@ public class VaadinServlet extends HttpServlet implements Constants { /** * A helper method to strip away characters that might somehow be used for - * XSS attacs. Leaves at least alphanumeric characters intact. Also removes - * eg. ( and ), so values should be safe in javascript too. + * XSS attacks. Leaves at least alphanumeric characters intact. Also removes + * e.g. '(' and ')', so values should be safe in javascript too. * * @param themeName * @return @@ -583,7 +583,7 @@ public class VaadinServlet extends HttpServlet implements Constants { * version */ @Deprecated - protected static String stripSpecialChars(String themeName) { + public static String stripSpecialChars(String themeName) { StringBuilder sb = new StringBuilder(); char[] charArray = themeName.toCharArray(); for (int i = 0; i < charArray.length; i++) { diff --git a/server/src/com/vaadin/ui/UI.java b/server/src/com/vaadin/ui/UI.java index 78cb5488e8..44948dfb6f 100644 --- a/server/src/com/vaadin/ui/UI.java +++ b/server/src/com/vaadin/ui/UI.java @@ -633,7 +633,11 @@ public abstract class UI extends AbstractSingleComponentContainer implements this.embedId = embedId; // Actual theme - used for finding CustomLayout templates - getState().theme = request.getParameter("theme"); + String unescapedThemeName = request.getParameter("theme"); + if (unescapedThemeName != null) { + // Set theme escapes the name + setTheme(unescapedThemeName); + } getPage().init(request); @@ -1164,7 +1168,7 @@ public abstract class UI extends AbstractSingleComponentContainer implements * The new theme name */ public void setTheme(String theme) { - getState().theme = theme; + getState().theme = VaadinServlet.stripSpecialChars(theme); } /** diff --git a/server/tests/src/com/vaadin/ui/UIThemeEscaping.java b/server/tests/src/com/vaadin/ui/UIThemeEscaping.java new file mode 100644 index 0000000000..ca6782952d --- /dev/null +++ b/server/tests/src/com/vaadin/ui/UIThemeEscaping.java @@ -0,0 +1,43 @@ +/* + * Copyright 2000-2014 Vaadin Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ +package com.vaadin.ui; + +import org.junit.Assert; +import org.junit.Test; + +import com.vaadin.server.VaadinRequest; + +public class UIThemeEscaping { + + @Test + public void testThemeEscaping() { + UI ui = new UI() { + @Override + protected void init(VaadinRequest request) { + // Nothing to do + } + }; + + ui.setTheme("a<å(_\"$"); + + String theme = ui.getTheme(); + + Assert.assertEquals( + "Dangerous characters should be removed from the theme name", + "aå_$", theme); + } + +} -- 2.39.5