aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeif Åstrand <leif@vaadin.com>2014-11-14 15:27:49 +0200
committerSauli Tähkäpää <sauli@vaadin.com>2014-12-02 20:55:01 +0200
commit0cdaf28d282134413910971cdeb7ed71cacdc6e3 (patch)
treee2049959183a2f2197cc01479bf0591b0e624f68
parenta44e2ced3676629c4c532e1896016c9852b86d6c (diff)
downloadvaadin-framework-0cdaf28d282134413910971cdeb7ed71cacdc6e3.tar.gz
vaadin-framework-0cdaf28d282134413910971cdeb7ed71cacdc6e3.zip
Escape dynamic and configured theme names in the same way. (#15309)7.3.6
Change-Id: Ib7fd42e6017d0b78e6d5e6bd7f531f0cd6c8c0ab
-rw-r--r--server/src/com/vaadin/server/VaadinServlet.java6
-rw-r--r--server/src/com/vaadin/ui/UI.java8
-rw-r--r--server/tests/src/com/vaadin/ui/UIThemeEscaping.java43
3 files changed, 52 insertions, 5 deletions
diff --git a/server/src/com/vaadin/server/VaadinServlet.java b/server/src/com/vaadin/server/VaadinServlet.java
index 4fd1e97a40..d1242676da 100644
--- a/server/src/com/vaadin/server/VaadinServlet.java
+++ b/server/src/com/vaadin/server/VaadinServlet.java
@@ -573,8 +573,8 @@ public class VaadinServlet extends HttpServlet implements Constants {
/**
* A helper method to strip away characters that might somehow be used for
- * XSS attacs. Leaves at least alphanumeric characters intact. Also removes
- * eg. ( and ), so values should be safe in javascript too.
+ * XSS attacks. Leaves at least alphanumeric characters intact. Also removes
+ * e.g. '(' and ')', so values should be safe in javascript too.
*
* @param themeName
* @return
@@ -583,7 +583,7 @@ public class VaadinServlet extends HttpServlet implements Constants {
* version
*/
@Deprecated
- protected static String stripSpecialChars(String themeName) {
+ public static String stripSpecialChars(String themeName) {
StringBuilder sb = new StringBuilder();
char[] charArray = themeName.toCharArray();
for (int i = 0; i < charArray.length; i++) {
diff --git a/server/src/com/vaadin/ui/UI.java b/server/src/com/vaadin/ui/UI.java
index 78cb5488e8..44948dfb6f 100644
--- a/server/src/com/vaadin/ui/UI.java
+++ b/server/src/com/vaadin/ui/UI.java
@@ -633,7 +633,11 @@ public abstract class UI extends AbstractSingleComponentContainer implements
this.embedId = embedId;
// Actual theme - used for finding CustomLayout templates
- getState().theme = request.getParameter("theme");
+ String unescapedThemeName = request.getParameter("theme");
+ if (unescapedThemeName != null) {
+ // Set theme escapes the name
+ setTheme(unescapedThemeName);
+ }
getPage().init(request);
@@ -1164,7 +1168,7 @@ public abstract class UI extends AbstractSingleComponentContainer implements
* The new theme name
*/
public void setTheme(String theme) {
- getState().theme = theme;
+ getState().theme = VaadinServlet.stripSpecialChars(theme);
}
/**
diff --git a/server/tests/src/com/vaadin/ui/UIThemeEscaping.java b/server/tests/src/com/vaadin/ui/UIThemeEscaping.java
new file mode 100644
index 0000000000..ca6782952d
--- /dev/null
+++ b/server/tests/src/com/vaadin/ui/UIThemeEscaping.java
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2000-2014 Vaadin Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package com.vaadin.ui;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import com.vaadin.server.VaadinRequest;
+
+public class UIThemeEscaping {
+
+ @Test
+ public void testThemeEscaping() {
+ UI ui = new UI() {
+ @Override
+ protected void init(VaadinRequest request) {
+ // Nothing to do
+ }
+ };
+
+ ui.setTheme("a<å(_\"$");
+
+ String theme = ui.getTheme();
+
+ Assert.assertEquals(
+ "Dangerous characters should be removed from the theme name",
+ "aå_$", theme);
+ }
+
+}