You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@deltaspike.apache.org by st...@apache.org on 2017/12/21 11:50:48 UTC

[2/2] deltaspike git commit: DELTASPIKE-1307 sanitise windowId against JavaScript injection

DELTASPIKE-1307 sanitise windowId against JavaScript injection


Project: http://git-wip-us.apache.org/repos/asf/deltaspike/repo
Commit: http://git-wip-us.apache.org/repos/asf/deltaspike/commit/72e607f3
Tree: http://git-wip-us.apache.org/repos/asf/deltaspike/tree/72e607f3
Diff: http://git-wip-us.apache.org/repos/asf/deltaspike/diff/72e607f3

Branch: refs/heads/master
Commit: 72e607f3be66c30c72b32c24b44e9deaa8e54608
Parents: 11b40fe
Author: Mark Struberg <st...@apache.org>
Authored: Thu Dec 21 12:50:00 2017 +0100
Committer: Mark Struberg <st...@apache.org>
Committed: Thu Dec 21 12:50:00 2017 +0100

----------------------------------------------------------------------
 .../strategy/AbstractClientWindowStrategy.java    | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/deltaspike/blob/72e607f3/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java
----------------------------------------------------------------------
diff --git a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java
index 4078e45..f98bdc7 100644
--- a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java
+++ b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java
@@ -25,7 +25,6 @@ import javax.annotation.PostConstruct;
 import javax.faces.context.FacesContext;
 import javax.inject.Inject;
 import javax.servlet.http.HttpServletRequest;
-import org.apache.deltaspike.core.spi.scope.window.WindowContext;
 import org.apache.deltaspike.jsf.api.config.JsfModuleConfig;
 import org.apache.deltaspike.jsf.impl.util.ClientWindowHelper;
 import org.apache.deltaspike.jsf.spi.scope.window.ClientWindow;
@@ -52,9 +51,6 @@ public abstract class AbstractClientWindowStrategy implements ClientWindow
     @Inject
     protected JsfModuleConfig jsfModuleConfig;
 
-    @Inject
-    protected WindowContext windowContext;
-
     private int maxWindowIdCount = 10;
 
     @PostConstruct
@@ -77,8 +73,11 @@ public abstract class AbstractClientWindowStrategy implements ClientWindow
 
         windowId = getOrCreateWindowId(facesContext);
 
+
         if (windowId != null)
         {
+            windowId = sanitiseWindowId(windowId);
+
             // don't cut the windowId generated from JSF
             ClientWindowConfig.ClientWindowRenderMode clientWindowRenderMode =
                     clientWindowConfig.getClientWindowRenderMode(facesContext);
@@ -96,6 +95,17 @@ public abstract class AbstractClientWindowStrategy implements ClientWindow
         return windowId;
     }
 
+
+    /**
+     * We have to escape some characters to make sure we do not open
+     * any XSS vectors. E.g. replace () etc to
+     * prevent attackers from injecting JavaScript function calls.
+     */
+    protected String sanitiseWindowId(String windowId)
+    {
+        return windowId.replace('(', '_');
+    }
+
     protected abstract String getOrCreateWindowId(FacesContext facesContext);
 
     protected String generateNewWindowId()