From 9fe131039de77038d4f9135e1b080c3750442873 Mon Sep 17 00:00:00 2001 From: Henri Sara Date: Tue, 27 Sep 2011 08:40:48 +0000 Subject: [PATCH] #7672 contributory XSS fixes in certain components svn changeset:21328/svn branch:6.6 --- src/com/vaadin/terminal/gwt/client/Util.java | 16 ++++ .../vaadin/terminal/gwt/client/ui/Action.java | 4 +- .../terminal/gwt/client/ui/VEmbedded.java | 84 ++++++++----------- .../terminal/gwt/client/ui/VFilterSelect.java | 7 +- .../terminal/gwt/client/ui/VMenuBar.java | 14 ++-- .../terminal/gwt/client/ui/VScrollTable.java | 3 +- .../vaadin/terminal/gwt/client/ui/VView.java | 3 +- .../terminal/gwt/client/ui/VWindow.java | 3 +- 8 files changed, 72 insertions(+), 62 deletions(-) diff --git a/src/com/vaadin/terminal/gwt/client/Util.java b/src/com/vaadin/terminal/gwt/client/Util.java index e5e8b7911a..fdcd123d50 100644 --- a/src/com/vaadin/terminal/gwt/client/Util.java +++ b/src/com/vaadin/terminal/gwt/client/Util.java @@ -251,6 +251,22 @@ public class Util { return DOM.getInnerHTML(escapeHtmlHelper); } + /** + * Escapes the string so it is safe to write inside an HTML attribute. + * + * @param attribute + * The string to escape + * @return An escaped version of attribute. + */ + public static String escapeAttribute(String attribute) { + attribute = attribute.replace("\"", """); + attribute = attribute.replace("'", "'"); + attribute = attribute.replace(">", ">"); + attribute = attribute.replace("<", "<"); + attribute = attribute.replace("&", "&"); + return attribute; + } + /** * Adds transparent PNG fix to image element; only use for IE6. * diff --git a/src/com/vaadin/terminal/gwt/client/ui/Action.java b/src/com/vaadin/terminal/gwt/client/ui/Action.java index 4d02f0a259..20d58c69f8 100644 --- a/src/com/vaadin/terminal/gwt/client/ui/Action.java +++ b/src/com/vaadin/terminal/gwt/client/ui/Action.java @@ -5,6 +5,7 @@ package com.vaadin.terminal.gwt.client.ui; import com.google.gwt.user.client.Command; +import com.vaadin.terminal.gwt.client.Util; /** * @@ -30,7 +31,8 @@ public abstract class Action implements Command { final StringBuffer sb = new StringBuffer(); sb.append("
"); if (getIconUrl() != null) { - sb.append("\"icon\""); + sb.append("\"icon\""); } sb.append(getCaption()); sb.append("
"); diff --git a/src/com/vaadin/terminal/gwt/client/ui/VEmbedded.java b/src/com/vaadin/terminal/gwt/client/ui/VEmbedded.java index a0f7cc649c..bd7b16022e 100644 --- a/src/com/vaadin/terminal/gwt/client/ui/VEmbedded.java +++ b/src/com/vaadin/terminal/gwt/client/ui/VEmbedded.java @@ -121,15 +121,13 @@ public class VEmbedded extends HTML implements Paintable { } else if (type.equals("browser")) { addStyleName(CLASSNAME + "-browser"); if (browserElement == null) { - setHTML(""); + setHTML(""); browserElement = DOM.getFirstChild(getElement()); - } else { - DOM.setElementAttribute(browserElement, "src", - getSrc(uidl, client)); } + DOM.setElementAttribute(browserElement, "src", + getSrc(uidl, client)); clearBrowserElement = false; } else { VConsole.log("Unknown Embedded type '" + type + "'"); @@ -138,6 +136,7 @@ public class VEmbedded extends HTML implements Paintable { final String mime = uidl.getStringAttribute("mimetype"); if (mime.equals("application/x-shockwave-flash")) { // Handle embedding of Flash + addStyleName(CLASSNAME + "-flash"); setHTML(createFlashEmbed(uidl)); } else if (mime.equals("image/svg+xml")) { @@ -160,24 +159,24 @@ public class VEmbedded extends HTML implements Paintable { obj.getStyle().setProperty("height", "100%"); } if (uidl.hasAttribute("classid")) { - obj.setAttribute("classid", - uidl.getStringAttribute(escapeAttribute("classid"))); + obj.setAttribute("classid", Util.escapeAttribute(uidl + .getStringAttribute("classid"))); } if (uidl.hasAttribute("codebase")) { - obj.setAttribute("codebase", uidl - .getStringAttribute(escapeAttribute("codebase"))); + obj.setAttribute("codebase", Util.escapeAttribute(uidl + .getStringAttribute("codebase"))); } if (uidl.hasAttribute("codetype")) { - obj.setAttribute("codetype", uidl - .getStringAttribute(escapeAttribute("codetype"))); + obj.setAttribute("codetype", Util.escapeAttribute(uidl + .getStringAttribute("codetype"))); } if (uidl.hasAttribute("archive")) { - obj.setAttribute("archive", - uidl.getStringAttribute(escapeAttribute("archive"))); + obj.setAttribute("archive", Util.escapeAttribute(uidl + .getStringAttribute("archive"))); } if (uidl.hasAttribute("standby")) { - obj.setAttribute("standby", - uidl.getStringAttribute(escapeAttribute("standby"))); + obj.setAttribute("standby", Util.escapeAttribute(uidl + .getStringAttribute("standby"))); } getElement().appendChild(obj); @@ -202,8 +201,6 @@ public class VEmbedded extends HTML implements Paintable { * @return Tags concatenated into a string */ private String createFlashEmbed(UIDL uidl) { - addStyleName(CLASSNAME + "-flash"); - /* * To ensure cross-browser compatibility we are using the twice-cooked * method to embed flash i.e. we add a OBJECT tag for IE ActiveX and @@ -224,7 +221,7 @@ public class VEmbedded extends HTML implements Paintable { */ if (uidl.hasAttribute("classid")) { html.append("classid=\"" - + escapeAttribute(uidl.getStringAttribute("classid")) + + Util.escapeAttribute(uidl.getStringAttribute("classid")) + "\" "); } else { html.append("classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\" "); @@ -240,32 +237,35 @@ public class VEmbedded extends HTML implements Paintable { */ if (uidl.hasAttribute("codebase")) { html.append("codebase=\"" - + escapeAttribute(uidl.getStringAttribute("codebase")) + + Util.escapeAttribute(uidl.getStringAttribute("codebase")) + "\" "); } else { html.append("codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0\" "); } // Add width and height - html.append("width=\"" + width + "\" "); - html.append("height=\"" + height + "\" "); + html.append("width=\"" + Util.escapeAttribute(width) + "\" "); + html.append("height=\"" + Util.escapeAttribute(height) + "\" "); html.append("type=\"application/x-shockwave-flash\" "); // Codetype if (uidl.hasAttribute("codetype")) { - html.append("codetype=\"" + uidl.getStringAttribute("codetype") + html.append("codetype=\"" + + Util.escapeAttribute(uidl.getStringAttribute("codetype")) + "\" "); } // Standby if (uidl.hasAttribute("standby")) { - html.append("standby=\"" + uidl.getStringAttribute("standby") + html.append("standby=\"" + + Util.escapeAttribute(uidl.getStringAttribute("standby")) + "\" "); } // Archive if (uidl.hasAttribute("archive")) { - html.append("archive=\"" + uidl.getStringAttribute("archive") + html.append("archive=\"" + + Util.escapeAttribute(uidl.getStringAttribute("archive")) + "\" "); } @@ -281,24 +281,26 @@ public class VEmbedded extends HTML implements Paintable { // Add parameters to OBJECT for (String name : parameters.keySet()) { html.append(""); } // Build inner EMBED tag html.append("attribute. - */ - private String escapeAttribute(String attribute) { - attribute = attribute.replace("\"", """); - attribute = attribute.replace("'", "'"); - attribute = attribute.replace(">", ">"); - attribute = attribute.replace("<", "<"); - attribute = attribute.replace("&", "&"); - return attribute; - } - /** * Returns a map (name -> value) of all parameters in the UIDL. * diff --git a/src/com/vaadin/terminal/gwt/client/ui/VFilterSelect.java b/src/com/vaadin/terminal/gwt/client/ui/VFilterSelect.java index 0a6ad9c1f7..494be87f9c 100644 --- a/src/com/vaadin/terminal/gwt/client/ui/VFilterSelect.java +++ b/src/com/vaadin/terminal/gwt/client/ui/VFilterSelect.java @@ -92,7 +92,7 @@ public class VFilterSelect extends Composite implements Paintable, Field, final StringBuffer sb = new StringBuffer(); if (iconUri != null) { sb.append("\"\""); } sb.append("" + Util.escapeHTML(caption) + ""); @@ -993,7 +993,8 @@ public class VFilterSelect extends Composite implements Paintable, Field, totalMatches = uidl.getIntAttribute("totalMatches"); } - String captions = inputPrompt; + // used only to calculate minimum popup width + String captions = Util.escapeHTML(inputPrompt); for (final Iterator i = options.getChildIterator(); i.hasNext();) { final UIDL optionUidl = (UIDL) i.next(); @@ -1022,7 +1023,7 @@ public class VFilterSelect extends Composite implements Paintable, Field, if (captions.length() > 0) { captions += "|"; } - captions += suggestion.getReplacementString(); + captions += Util.escapeHTML(suggestion.getReplacementString()); } if ((!filtering || popupOpenerClicked) && uidl.hasVariable("selected") diff --git a/src/com/vaadin/terminal/gwt/client/ui/VMenuBar.java b/src/com/vaadin/terminal/gwt/client/ui/VMenuBar.java index 51b9abdb0b..2493e3ad7c 100644 --- a/src/com/vaadin/terminal/gwt/client/ui/VMenuBar.java +++ b/src/com/vaadin/terminal/gwt/client/ui/VMenuBar.java @@ -222,9 +222,10 @@ public class VMenuBar extends SimpleFocusablePanel implements Paintable, if (moreItemUIDL.hasAttribute("icon")) { itemHTML.append("\"\""); + + Util.escapeAttribute(client + .translateVaadinUri(moreItemUIDL + .getStringAttribute("icon"))) + + "\" class=\"" + Icon.CLASSNAME + "\" alt=\"\" />"); } String moreItemText = moreItemUIDL.getStringAttribute("text"); @@ -328,7 +329,8 @@ public class VMenuBar extends SimpleFocusablePanel implements Paintable, // FIXME For compatibility reasons: remove in version 7 String bgStyle = ""; if (submenuIcon != null) { - bgStyle = " style=\"background-image: url(" + submenuIcon + bgStyle = " style=\"background-image: url(" + + Util.escapeAttribute(submenuIcon) + "); text-indent: -999px; width: 1em;\""; } itemHTML.append(""); if (item.hasAttribute("icon")) { itemHTML.append("\"\""); } String itemText = item.getStringAttribute("text"); diff --git a/src/com/vaadin/terminal/gwt/client/ui/VScrollTable.java b/src/com/vaadin/terminal/gwt/client/ui/VScrollTable.java index 272202c455..e2d776649b 100644 --- a/src/com/vaadin/terminal/gwt/client/ui/VScrollTable.java +++ b/src/com/vaadin/terminal/gwt/client/ui/VScrollTable.java @@ -5293,7 +5293,8 @@ public class VScrollTable extends FlowPanel implements Table, ScrollHandler, .getStringAttribute("caption") : ""; if (uidl.hasAttribute("icon")) { s = "\"icon\"" + s; } return s; diff --git a/src/com/vaadin/terminal/gwt/client/ui/VView.java b/src/com/vaadin/terminal/gwt/client/ui/VView.java index a2184c4954..1247245730 100644 --- a/src/com/vaadin/terminal/gwt/client/ui/VView.java +++ b/src/com/vaadin/terminal/gwt/client/ui/VView.java @@ -327,7 +327,8 @@ public class VView extends SimplePanel implements Container, ResizeHandler, final String parsedUri = client .translateVaadinUri(notification .getStringAttribute("icon")); - html += ""; + html += ""; } if (notification.hasAttribute("caption")) { html += "

" diff --git a/src/com/vaadin/terminal/gwt/client/ui/VWindow.java b/src/com/vaadin/terminal/gwt/client/ui/VWindow.java index e2fe47cc2c..84c7868005 100644 --- a/src/com/vaadin/terminal/gwt/client/ui/VWindow.java +++ b/src/com/vaadin/terminal/gwt/client/ui/VWindow.java @@ -865,7 +865,8 @@ public class VWindow extends VOverlay implements Container, String html = Util.escapeHTML(c); if (icon != null) { icon = client.translateVaadinUri(icon); - html = "" + html; + html = "" + html; } DOM.setInnerHTML(headerText, html); } -- 2.39.5