Escape dynamic and configured theme names in the same way. (#15309)7.3.6

Change-Id: Ib7fd42e6017d0b78e6d5e6bd7f531f0cd6c8c0ab

3 files changed, 52 insertions, 5 deletions

diff --git a/server/src/com/vaadin/server/VaadinServlet.java b/server/src/com/vaadin/server/VaadinServlet.java
index 4fd1e97a40..d1242676da 100644
--- a/server/src/com/vaadin/server/VaadinServlet.java
+++ b/server/src/com/vaadin/server/VaadinServlet.java
@@ -573,8 +573,8 @@ public class VaadinServlet extends HttpServlet implements Constants {
 
     /**
      * A helper method to strip away characters that might somehow be used for
-     * XSS attacs. Leaves at least alphanumeric characters intact. Also removes
-     * eg. ( and ), so values should be safe in javascript too.
+     * XSS attacks. Leaves at least alphanumeric characters intact. Also removes
+     * e.g. '(' and ')', so values should be safe in javascript too.
      * 
      * @param themeName
      * @return
@@ -583,7 +583,7 @@ public class VaadinServlet extends HttpServlet implements Constants {
      *             version
      */
     @Deprecated
-    protected static String stripSpecialChars(String themeName) {
+    public static String stripSpecialChars(String themeName) {
         StringBuilder sb = new StringBuilder();
         char[] charArray = themeName.toCharArray();
         for (int i = 0; i < charArray.length; i++) {
diff --git a/server/src/com/vaadin/ui/UI.java b/server/src/com/vaadin/ui/UI.java
index 78cb5488e8..44948dfb6f 100644
--- a/server/src/com/vaadin/ui/UI.java
+++ b/server/src/com/vaadin/ui/UI.java
@@ -633,7 +633,11 @@ public abstract class UI extends AbstractSingleComponentContainer implements
         this.embedId = embedId;
 
         // Actual theme - used for finding CustomLayout templates
-        getState().theme = request.getParameter("theme");
+        String unescapedThemeName = request.getParameter("theme");
+        if (unescapedThemeName != null) {
+            // Set theme escapes the name
+            setTheme(unescapedThemeName);
+        }
 
         getPage().init(request);
 
@@ -1164,7 +1168,7 @@ public abstract class UI extends AbstractSingleComponentContainer implements
      *            The new theme name
      */
     public void setTheme(String theme) {
-        getState().theme = theme;
+        getState().theme = VaadinServlet.stripSpecialChars(theme);
     }
 
     /**
diff --git a/server/tests/src/com/vaadin/ui/UIThemeEscaping.java b/server/tests/src/com/vaadin/ui/UIThemeEscaping.java
new file mode 100644
index 0000000000..ca6782952d
--- /dev/null
+++ b/server/tests/src/com/vaadin/ui/UIThemeEscaping.java
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2000-2014 Vaadin Ltd.
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package com.vaadin.ui;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import com.vaadin.server.VaadinRequest;
+
+public class UIThemeEscaping {
+
+    @Test
+    public void testThemeEscaping() {
+        UI ui = new UI() {
+            @Override
+            protected void init(VaadinRequest request) {
+                // Nothing to do
+            }
+        };
+
+        ui.setTheme("a<å(_\"$");
+
+        String theme = ui.getTheme();
+
+        Assert.assertEquals(
+                "Dangerous characters should be removed from the theme name",
+                "aå_$", theme);
+    }
+
+}