You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tapestry.apache.org by cc...@apache.org on 2010/09/06 08:52:06 UTC

svn commit: r992951 - in /tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src: main/resources/org/apache/tapestry5/corelib/components/datefield.js test/java/org/apache/tapestry5/integration/IntegrationTests.java

Author: ccordenier
Date: Mon Sep  6 06:52:06 2010
New Revision: 992951

URL: http://svn.apache.org/viewvc?rev=992951&view=rev
Log:
Apply TAP5-1057 to 1.0.8 (see TAP5-1057)

Modified:
    tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js
    tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java

Modified: tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js?rev=992951&r1=992950&r2=992951&view=diff
==============================================================================
--- tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js (original)
+++ tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js Mon Sep  6 06:52:06 2010
@@ -55,7 +55,7 @@ Tapestry.DateField = Class.create({
         }
 
 
-        var value = $F(this.field);
+        var value = $F(this.field).escapeHTML();
 
         if (value == "")
         {

Modified: tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java?rev=992951&r1=992950&r2=992951&view=diff
==============================================================================
--- tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java (original)
+++ tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java Mon Sep  6 06:52:06 2010
@@ -1267,6 +1267,19 @@ public class IntegrationTests extends Ab
 
         clickAndWait("link=english");
     }
+    
+    @Test
+    public void xss_datefield()
+    {
+        start("DateField Demo", "clear", "english");
+
+        type("asteroidImpact", "<script>alert('T5 is great'); </script>");
+
+        click("id=asteroidImpact-trigger");
+        
+        assertBubbleMessage("asteroidImpact", "Unparseable date: \"<script>alert('T5 is great'); </script>\"");
+
+    }
 
     /**
      * This also checks that the date type is displayed correctly by BeanDisplay and Grid.