From fefbf1d45537c042207ec2795db4a7213ff73a8b Mon Sep 17 00:00:00 2001 From: =?utf8?q?Leif=20=C3=85strand?= Date: Fri, 29 Jun 2012 11:49:30 +0300 Subject: [PATCH] Change Notification default to no allow HTML (#9066) --- src/com/vaadin/ui/Notification.java | 22 ++++++++----------- src/com/vaadin/ui/Root.java | 17 +++++++++----- .../customfield/BooleanFieldExample.java | 2 +- .../notification/Notifications.java | 1 + .../RichTextAreaWithKeyboardShortcuts.java | 5 ++++- .../tests/integration/LiferayThemeDemo.java | 13 ++++++----- .../v7a1/IntegerTextFieldDataSource.java | 4 ++-- 7 files changed, 37 insertions(+), 27 deletions(-) diff --git a/src/com/vaadin/ui/Notification.java b/src/com/vaadin/ui/Notification.java index 0358283cb4..502e5ff788 100644 --- a/src/com/vaadin/ui/Notification.java +++ b/src/com/vaadin/ui/Notification.java @@ -76,8 +76,7 @@ public class Notification implements Serializable { /** * Creates a "humanized" notification message. * - * Care should be taken to to avoid XSS vulnerabilities as the caption is by - * default rendered as html. + * The caption is rendered as plain text with HTML automatically escaped. * * @param caption * The message to show @@ -89,8 +88,7 @@ public class Notification implements Serializable { /** * Creates a notification message of the specified type. * - * Care should be taken to to avoid XSS vulnerabilities as the caption is by - * default rendered as html. + * The caption is rendered as plain text with HTML automatically escaped. * * @param caption * The message to show @@ -105,8 +103,8 @@ public class Notification implements Serializable { * Creates a "humanized" notification message with a bigger caption and * smaller description. * - * Care should be taken to to avoid XSS vulnerabilities as the caption and - * description are by default rendered as html. + * The caption and description are rendered as plain text with HTML + * automatically escaped. * * @param caption * The message caption @@ -121,8 +119,8 @@ public class Notification implements Serializable { * Creates a notification message of the specified type, with a bigger * caption and smaller description. * - * Care should be taken to to avoid XSS vulnerabilities as the caption and - * description are by default rendered as html. + * The caption and description are rendered as plain text with HTML + * automatically escaped. * * @param caption * The message caption @@ -132,7 +130,7 @@ public class Notification implements Serializable { * The type of message */ public Notification(String caption, String description, int type) { - this(caption, description, type, true); + this(caption, description, type, false); } /** @@ -335,8 +333,7 @@ public class Notification implements Serializable { * Shows a notification message on the middle of the current page. The * message automatically disappears ("humanized message"). * - * Care should be taken to to avoid XSS vulnerabilities as the caption is - * rendered as html. + * The caption is rendered as plain text with HTML automatically escaped. * * @see #Notification(String) * @see #show(Page) @@ -354,8 +351,7 @@ public class Notification implements Serializable { * defined in {@link Notification}, for instance * Notification.TYPE_WARNING_MESSAGE. * - * Care should be taken to to avoid XSS vulnerabilities as the caption is - * rendered as html. + * The caption is rendered as plain text with HTML automatically escaped. * * @see #Notification(String, int) * @see #show(Page) diff --git a/src/com/vaadin/ui/Root.java b/src/com/vaadin/ui/Root.java index 7ae687be79..2ca2da05ac 100644 --- a/src/com/vaadin/ui/Root.java +++ b/src/com/vaadin/ui/Root.java @@ -1075,7 +1075,9 @@ public abstract class Root extends AbstractComponentContainer implements */ @Deprecated public void showNotification(String caption) { - getPage().showNotification(new Notification(caption)); + Notification notification = new Notification(caption); + notification.setHtmlContentAllowed(true);// Backwards compatibility + getPage().showNotification(notification); } /** @@ -1098,7 +1100,9 @@ public abstract class Root extends AbstractComponentContainer implements */ @Deprecated public void showNotification(String caption, int type) { - getPage().showNotification(new Notification(caption, type)); + Notification notification = new Notification(caption, type); + notification.setHtmlContentAllowed(true);// Backwards compatibility + getPage().showNotification(notification); } /** @@ -1121,7 +1125,9 @@ public abstract class Root extends AbstractComponentContainer implements */ @Deprecated public void showNotification(String caption, String description) { - getPage().showNotification(new Notification(caption, description)); + Notification notification = new Notification(caption, description); + notification.setHtmlContentAllowed(true);// Backwards compatibility + getPage().showNotification(notification); } /** @@ -1147,8 +1153,9 @@ public abstract class Root extends AbstractComponentContainer implements */ @Deprecated public void showNotification(String caption, String description, int type) { - getPage() - .showNotification(new Notification(caption, description, type)); + Notification notification = new Notification(caption, description, type); + notification.setHtmlContentAllowed(true);// Backwards compatibility + getPage().showNotification(notification); } /** diff --git a/tests/testbench/com/vaadin/tests/components/customfield/BooleanFieldExample.java b/tests/testbench/com/vaadin/tests/components/customfield/BooleanFieldExample.java index 694c5b54f9..88c6f7fc45 100644 --- a/tests/testbench/com/vaadin/tests/components/customfield/BooleanFieldExample.java +++ b/tests/testbench/com/vaadin/tests/components/customfield/BooleanFieldExample.java @@ -64,7 +64,7 @@ public class BooleanFieldExample extends TestBase { public void buttonClick(ClickEvent event) { form.commit(); Notification.show("The custom boolean field value is " - + data.isCustom() + ".
" + + data.isCustom() + ".\n" + "The checkbox (default boolean field) value is " + data.isNormal() + "."); } diff --git a/tests/testbench/com/vaadin/tests/components/notification/Notifications.java b/tests/testbench/com/vaadin/tests/components/notification/Notifications.java index 5a158c8f03..b0c597004e 100644 --- a/tests/testbench/com/vaadin/tests/components/notification/Notifications.java +++ b/tests/testbench/com/vaadin/tests/components/notification/Notifications.java @@ -53,6 +53,7 @@ public class Notifications extends TestBase implements ClickListener { public void buttonClick(ClickEvent event) { Notification n = new Notification(tf.getValue(), (Integer) type.getValue()); + n.setHtmlContentAllowed(true); n.show(Page.getCurrent()); } } diff --git a/tests/testbench/com/vaadin/tests/components/richtextarea/RichTextAreaWithKeyboardShortcuts.java b/tests/testbench/com/vaadin/tests/components/richtextarea/RichTextAreaWithKeyboardShortcuts.java index 98f31cd68c..3b77de8b86 100644 --- a/tests/testbench/com/vaadin/tests/components/richtextarea/RichTextAreaWithKeyboardShortcuts.java +++ b/tests/testbench/com/vaadin/tests/components/richtextarea/RichTextAreaWithKeyboardShortcuts.java @@ -3,6 +3,7 @@ package com.vaadin.tests.components.richtextarea; import com.vaadin.event.Action; import com.vaadin.event.Action.Handler; import com.vaadin.event.ShortcutAction; +import com.vaadin.terminal.Page; import com.vaadin.tests.components.TestBase; import com.vaadin.ui.AbstractField; import com.vaadin.ui.Component; @@ -31,7 +32,9 @@ public class RichTextAreaWithKeyboardShortcuts extends TestBase { String string = f.getValue().toString(); msg += " Value: " + string; - Notification.show(msg); + Notification notification = new Notification(msg); + notification.setHtmlContentAllowed(true); + notification.show(Page.getCurrent()); } diff --git a/tests/testbench/com/vaadin/tests/integration/LiferayThemeDemo.java b/tests/testbench/com/vaadin/tests/integration/LiferayThemeDemo.java index 9397206f1e..78b8f812b9 100644 --- a/tests/testbench/com/vaadin/tests/integration/LiferayThemeDemo.java +++ b/tests/testbench/com/vaadin/tests/integration/LiferayThemeDemo.java @@ -596,8 +596,10 @@ public class LiferayThemeDemo extends Application.LegacyApplication { Button show = new Button("Humanized Notification", new Button.ClickListener() { public void buttonClick(ClickEvent event) { - new Notification(title.getValue(), message.getValue()) - .show(Page.getCurrent()); + Notification notification = new Notification( + title.getValue(), message.getValue()); + notification.setHtmlContentAllowed(true); + notification.show(Page.getCurrent()); } }); l.addComponent(show); @@ -606,7 +608,7 @@ public class LiferayThemeDemo extends Application.LegacyApplication { show = new Button("Warning Notification", new Button.ClickListener() { public void buttonClick(ClickEvent event) { new Notification(title.getValue(), message.getValue(), - Notification.TYPE_WARNING_MESSAGE).show(Page + Notification.TYPE_WARNING_MESSAGE, true).show(Page .getCurrent()); } @@ -617,7 +619,8 @@ public class LiferayThemeDemo extends Application.LegacyApplication { show = new Button("Error Notification", new Button.ClickListener() { public void buttonClick(ClickEvent event) { new Notification(title.getValue(), message.getValue(), - Notification.TYPE_ERROR_MESSAGE).show(Page.getCurrent()); + Notification.TYPE_ERROR_MESSAGE, true).show(Page + .getCurrent()); } }); @@ -627,7 +630,7 @@ public class LiferayThemeDemo extends Application.LegacyApplication { show = new Button("Tray Notification", new Button.ClickListener() { public void buttonClick(ClickEvent event) { new Notification(title.getValue(), message.getValue(), - Notification.TYPE_TRAY_NOTIFICATION).show(Page + Notification.TYPE_TRAY_NOTIFICATION, true).show(Page .getCurrent()); } diff --git a/tests/testbench/com/vaadin/tests/minitutorials/v7a1/IntegerTextFieldDataSource.java b/tests/testbench/com/vaadin/tests/minitutorials/v7a1/IntegerTextFieldDataSource.java index dd32242062..66185ef6a6 100644 --- a/tests/testbench/com/vaadin/tests/minitutorials/v7a1/IntegerTextFieldDataSource.java +++ b/tests/testbench/com/vaadin/tests/minitutorials/v7a1/IntegerTextFieldDataSource.java @@ -41,8 +41,8 @@ public class IntegerTextFieldDataSource extends AbstractTestRoot { int dataModelValue = myBean.getValue(); Notification.show("UI value (String): " + uiValue - + "
Property value (Integer): " + propertyValue - + "
Data model value (int): " + dataModelValue); + + "\nProperty value (Integer): " + propertyValue + + "\nData model value (int): " + dataModelValue); } }); -- 2.39.5