diff options
author | Leif Åstrand <leif@vaadin.com> | 2014-11-14 15:27:49 +0200 |
---|---|---|
committer | Sauli Tähkäpää <sauli@vaadin.com> | 2014-12-02 20:55:01 +0200 |
commit | 0cdaf28d282134413910971cdeb7ed71cacdc6e3 (patch) | |
tree | e2049959183a2f2197cc01479bf0591b0e624f68 | |
parent | a44e2ced3676629c4c532e1896016c9852b86d6c (diff) | |
download | vaadin-framework-0cdaf28d282134413910971cdeb7ed71cacdc6e3.tar.gz vaadin-framework-0cdaf28d282134413910971cdeb7ed71cacdc6e3.zip |
Escape dynamic and configured theme names in the same way. (#15309)7.3.6
Change-Id: Ib7fd42e6017d0b78e6d5e6bd7f531f0cd6c8c0ab
-rw-r--r-- | server/src/com/vaadin/server/VaadinServlet.java | 6 | ||||
-rw-r--r-- | server/src/com/vaadin/ui/UI.java | 8 | ||||
-rw-r--r-- | server/tests/src/com/vaadin/ui/UIThemeEscaping.java | 43 |
3 files changed, 52 insertions, 5 deletions
diff --git a/server/src/com/vaadin/server/VaadinServlet.java b/server/src/com/vaadin/server/VaadinServlet.java index 4fd1e97a40..d1242676da 100644 --- a/server/src/com/vaadin/server/VaadinServlet.java +++ b/server/src/com/vaadin/server/VaadinServlet.java @@ -573,8 +573,8 @@ public class VaadinServlet extends HttpServlet implements Constants { /** * A helper method to strip away characters that might somehow be used for - * XSS attacs. Leaves at least alphanumeric characters intact. Also removes - * eg. ( and ), so values should be safe in javascript too. + * XSS attacks. Leaves at least alphanumeric characters intact. Also removes + * e.g. '(' and ')', so values should be safe in javascript too. * * @param themeName * @return @@ -583,7 +583,7 @@ public class VaadinServlet extends HttpServlet implements Constants { * version */ @Deprecated - protected static String stripSpecialChars(String themeName) { + public static String stripSpecialChars(String themeName) { StringBuilder sb = new StringBuilder(); char[] charArray = themeName.toCharArray(); for (int i = 0; i < charArray.length; i++) { diff --git a/server/src/com/vaadin/ui/UI.java b/server/src/com/vaadin/ui/UI.java index 78cb5488e8..44948dfb6f 100644 --- a/server/src/com/vaadin/ui/UI.java +++ b/server/src/com/vaadin/ui/UI.java @@ -633,7 +633,11 @@ public abstract class UI extends AbstractSingleComponentContainer implements this.embedId = embedId; // Actual theme - used for finding CustomLayout templates - getState().theme = request.getParameter("theme"); + String unescapedThemeName = request.getParameter("theme"); + if (unescapedThemeName != null) { + // Set theme escapes the name + setTheme(unescapedThemeName); + } getPage().init(request); @@ -1164,7 +1168,7 @@ public abstract class UI extends AbstractSingleComponentContainer implements * The new theme name */ public void setTheme(String theme) { - getState().theme = theme; + getState().theme = VaadinServlet.stripSpecialChars(theme); } /** diff --git a/server/tests/src/com/vaadin/ui/UIThemeEscaping.java b/server/tests/src/com/vaadin/ui/UIThemeEscaping.java new file mode 100644 index 0000000000..ca6782952d --- /dev/null +++ b/server/tests/src/com/vaadin/ui/UIThemeEscaping.java @@ -0,0 +1,43 @@ +/* + * Copyright 2000-2014 Vaadin Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ +package com.vaadin.ui; + +import org.junit.Assert; +import org.junit.Test; + +import com.vaadin.server.VaadinRequest; + +public class UIThemeEscaping { + + @Test + public void testThemeEscaping() { + UI ui = new UI() { + @Override + protected void init(VaadinRequest request) { + // Nothing to do + } + }; + + ui.setTheme("a<å(_\"$"); + + String theme = ui.getTheme(); + + Assert.assertEquals( + "Dangerous characters should be removed from the theme name", + "aå_$", theme); + } + +} |