summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAleksi Hietanen <aleksi@vaadin.com>2016-10-13 13:00:49 +0300
committerAleksi Hietanen <aleksi@vaadin.com>2016-10-13 13:23:27 +0300
commit7c8a03ce9e37d4abc172c050976a15d7f269b55e (patch)
tree1498e80dd8750d593318021b417b8445ebf552e9
parentfb4248119d77a6865a42ffdf0d80f10d683769a5 (diff)
downloadvaadin-framework-7c8a03ce9e37d4abc172c050976a15d7f269b55e.tar.gz
vaadin-framework-7c8a03ce9e37d4abc172c050976a15d7f269b55e.zip
Fix security issue in BoV custom ValidationStatusHandler example
Change-Id: Ib02f6c2ddc32d70f45180a03832b3dec790ecc3d
-rw-r--r--documentation/datamodel/datamodel-forms.asciidoc8
1 files changed, 7 insertions, 1 deletions
diff --git a/documentation/datamodel/datamodel-forms.asciidoc b/documentation/datamodel/datamodel-forms.asciidoc
index 0a040230c6..f34bae1aa2 100644
--- a/documentation/datamodel/datamodel-forms.asciidoc
+++ b/documentation/datamodel/datamodel-forms.asciidoc
@@ -572,10 +572,16 @@ BinderValidationStatusHandler defaultHandler = binder.getValidationStatusHandler
binder.setValidationStatusHandler(status -> {
// create an error message on failed bean level validations
List<Result<?>> errors = status.getBeanValidationErrors();
+
// collect all bean level error messages into a single string,
// separating each message with a <br> tag
String errorMessage = errors.stream().map(Result::getMessage)
- .map(o -> o.get()).collect(Collectors.joining("<br>"));
+ .map(o -> o.get())
+ // sanitize the individual error strings to avoid code injection
+ // since we are displaying the resulting string as HTML
+ .map(errorString -> Jsoup.clean(errorString, Whitelist.simpleText()))
+ .collect(Collectors.joining("<br>"));
+
// finally, display all bean level validation errors in a single label
formStatusLabel.setValue(errorMessage);
formStatusLabel.setVisible(!errorMessage.isEmpty());