Escape dynamic and configured theme names in the same way. (#15309)

Change-Id: Ib7fd42e6017d0b78e6d5e6bd7f531f0cd6c8c0ab
author: Leif Åstrand <leif@vaadin.com> 2014-11-14 15:27:49 +0200
committer: Vaadin Code Review <review@vaadin.com> 2014-12-02 18:53:11 +0000
commit: 3c59a1f08d6e2288c4bcd0ac74273ae14c4d4e0b (patch)
tree: 3daaf9abae0297a76f20e11aa12574f691dff714 /server/src/com
parent: 654846837379db9a76823f5d0e73e5e6bfa8115d (diff)
download: vaadin-framework-3c59a1f08d6e2288c4bcd0ac74273ae14c4d4e0b.tar.gz
vaadin-framework-3c59a1f08d6e2288c4bcd0ac74273ae14c4d4e0b.zip
2 files changed, 9 insertions, 5 deletions
diff --git a/server/src/com/vaadin/server/VaadinServlet.java b/server/src/com/vaadin/server/VaadinServlet.java
index 4fd1e97a40..d1242676da 100644
--- a/server/src/com/vaadin/server/VaadinServlet.java
+++ b/server/src/com/vaadin/server/VaadinServlet.java
@@ -573,8 +573,8 @@ public class VaadinServlet extends HttpServlet implements Constants {
 
     /**
      * A helper method to strip away characters that might somehow be used for
-     * XSS attacs. Leaves at least alphanumeric characters intact. Also removes
-     * eg. ( and ), so values should be safe in javascript too.
+     * XSS attacks. Leaves at least alphanumeric characters intact. Also removes
+     * e.g. '(' and ')', so values should be safe in javascript too.
      * 
      * @param themeName
      * @return
@@ -583,7 +583,7 @@ public class VaadinServlet extends HttpServlet implements Constants {
      *             version
      */
     @Deprecated
-    protected static String stripSpecialChars(String themeName) {
+    public static String stripSpecialChars(String themeName) {
         StringBuilder sb = new StringBuilder();
         char[] charArray = themeName.toCharArray();
         for (int i = 0; i < charArray.length; i++) {
diff --git a/server/src/com/vaadin/ui/UI.java b/server/src/com/vaadin/ui/UI.java
index 78cb5488e8..44948dfb6f 100644
--- a/server/src/com/vaadin/ui/UI.java
+++ b/server/src/com/vaadin/ui/UI.java
@@ -633,7 +633,11 @@ public abstract class UI extends AbstractSingleComponentContainer implements
         this.embedId = embedId;
 
         // Actual theme - used for finding CustomLayout templates
-        getState().theme = request.getParameter("theme");
+        String unescapedThemeName = request.getParameter("theme");
+        if (unescapedThemeName != null) {
+            // Set theme escapes the name
+            setTheme(unescapedThemeName);
+        }
 
         getPage().init(request);
 
@@ -1164,7 +1168,7 @@ public abstract class UI extends AbstractSingleComponentContainer implements
      *            The new theme name
      */
     public void setTheme(String theme) {
-        getState().theme = theme;
+        getState().theme = VaadinServlet.stripSpecialChars(theme);
     }
 
     /**
author	Leif Åstrand <leif@vaadin.com>	2014-11-14 15:27:49 +0200
committer	Vaadin Code Review <review@vaadin.com>	2014-12-02 18:53:11 +0000
commit	3c59a1f08d6e2288c4bcd0ac74273ae14c4d4e0b (patch)
tree	3daaf9abae0297a76f20e11aa12574f691dff714 /server/src/com
parent	654846837379db9a76823f5d0e73e5e6bfa8115d (diff)
download	vaadin-framework-3c59a1f08d6e2288c4bcd0ac74273ae14c4d4e0b.tar.gz vaadin-framework-3c59a1f08d6e2288c4bcd0ac74273ae14c4d4e0b.zip