diff options
author | Aleksi Hietanen <aleksi@vaadin.com> | 2016-10-13 13:00:49 +0300 |
---|---|---|
committer | Aleksi Hietanen <aleksi@vaadin.com> | 2016-10-13 13:23:27 +0300 |
commit | 7c8a03ce9e37d4abc172c050976a15d7f269b55e (patch) | |
tree | 1498e80dd8750d593318021b417b8445ebf552e9 | |
parent | fb4248119d77a6865a42ffdf0d80f10d683769a5 (diff) | |
download | vaadin-framework-7c8a03ce9e37d4abc172c050976a15d7f269b55e.tar.gz vaadin-framework-7c8a03ce9e37d4abc172c050976a15d7f269b55e.zip |
Fix security issue in BoV custom ValidationStatusHandler example
Change-Id: Ib02f6c2ddc32d70f45180a03832b3dec790ecc3d
-rw-r--r-- | documentation/datamodel/datamodel-forms.asciidoc | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/documentation/datamodel/datamodel-forms.asciidoc b/documentation/datamodel/datamodel-forms.asciidoc index 0a040230c6..f34bae1aa2 100644 --- a/documentation/datamodel/datamodel-forms.asciidoc +++ b/documentation/datamodel/datamodel-forms.asciidoc @@ -572,10 +572,16 @@ BinderValidationStatusHandler defaultHandler = binder.getValidationStatusHandler binder.setValidationStatusHandler(status -> { // create an error message on failed bean level validations List<Result<?>> errors = status.getBeanValidationErrors(); + // collect all bean level error messages into a single string, // separating each message with a <br> tag String errorMessage = errors.stream().map(Result::getMessage) - .map(o -> o.get()).collect(Collectors.joining("<br>")); + .map(o -> o.get()) + // sanitize the individual error strings to avoid code injection + // since we are displaying the resulting string as HTML + .map(errorString -> Jsoup.clean(errorString, Whitelist.simpleText())) + .collect(Collectors.joining("<br>")); + // finally, display all bean level validation errors in a single label formStatusLabel.setValue(errorMessage); formStatusLabel.setVisible(!errorMessage.isEmpty()); |