You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by lo...@apache.org on 2020/07/15 14:05:59 UTC
[myfaces-tobago] 03/03: TOBAGO-1843: Demo: Enhancements for Tobago
5.x
This is an automated email from the ASF dual-hosted git repository.
lofwyr pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/myfaces-tobago.git
commit c04dec33252313fdcc39e877b421181438fecb46
Author: Udo Schnurpfeil <ud...@irian.eu>
AuthorDate: Wed Jul 15 16:05:42 2020 +0200
TOBAGO-1843: Demo: Enhancements for Tobago 5.x
---
.../05-csp/Content_Security_Policy.xhtml | 32 ++++++++--------------
.../80-security/10-sanitize/Sanitize.xhtml | 16 +++++++++--
.../tobago-example-demo/src/main/webapp/main.xhtml | 2 --
.../src/main/webapp/server-info.xhtml | 30 +++++++++++---------
4 files changed, 43 insertions(+), 37 deletions(-)
diff --git a/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/05-csp/Content_Security_Policy.xhtml b/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/05-csp/Content_Security_Policy.xhtml
index 98c09de..9361ca2 100644
--- a/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/05-csp/Content_Security_Policy.xhtml
+++ b/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/05-csp/Content_Security_Policy.xhtml
@@ -28,30 +28,22 @@
<tc:link link="http://www.w3.org/TR/CSP/" label="Specification link" image="fa-external-link"/>.
In short: The HTML page doesn't contain any JavaScript or CSS information.
All allowed sources for JavaScript, CSS and other resources have to be declared in special header.
- If you have own renderers or own JavaScript in your application, this code also needs to support SCP, to use this feature.
+ If you have own renderers or own JavaScript in your application, this code also needs to support CSP, to use this feature.
- <tc:box label="This box may be manipulated by JavaScript">
- <tc:style maxWidth="400px"/>
- <tc:panel id="panel">
+ <tc:box label="The content of this box may be manipulated by JavaScript">
+ <tc:panel id="panel-good">
+ <tc:badge markup="info" value="Notice:"/><br/>
<tc:out value="When you can read this text, it hasn't been manipulated by JavaScript.
That means the CSP is working correctly."/>
+ <i class="fa fa-check fa-2x" onclick="alert('rav');"></i>
</tc:panel>
- <script>
- <![CDATA[
- function cspDemo() {
- jQuery(DomUtils.escapeClientId("page:panel")).html(
- "<span style='color: #ff0000; font-weight: bold;'>"
- + "Attention: When you can read this text, the content was manipulated by JavaScript."
- + " It seems, your browser doesn't support CSP!</span>");
- }
-
- cspDemo();
- ]]>
- </script>
+ <tc:panel id="panel-bad">
+ <tc:style customClass="d-none"/>
+ <tc:badge markup="warning" value="Attention!"/><br/>
+ <tc:out value="When you can read this text, the content was manipulated by JavaScript. It seems, your browser doesn't support CSP!"/>
+ <i class="fa fa-exclamation-triangle fa-2x text-danger"></i>
+ </tc:panel>
+ <script type="application/javascript">document.addEventListener("DOMContentLoaded", function (event) {document.getElementById("page:mainForm:panel-good").classList.add("d-none");document.getElementById("page:mainForm:panel-bad").classList.remove("d-none"); });</script>
</tc:box>
- <h5 class="alert alert-danger">This example is currently not working!</h5>
-
-
-
</ui:composition>
diff --git a/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/10-sanitize/Sanitize.xhtml b/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/10-sanitize/Sanitize.xhtml
index 2a9d5e0..814d0e1 100644
--- a/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/10-sanitize/Sanitize.xhtml
+++ b/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/10-sanitize/Sanitize.xhtml
@@ -25,11 +25,23 @@
<ui:param name="title" value="Sanitizer"/>
<ul>
- <li>Filter all suspicious content from tc:textarea and tc:out with escape=false.</li>
+ <li>Filter all suspicious content from
+ <pre><code class="language-markup"><tc:textarea></code></pre> and
+ <pre><code class="language-markup"><tc:out escape="false"></code></pre>
+ </li>
<li>See <tc:link label="OWASP Java HTML Sanitizer Project"
link="https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project"
image="fa-external-link" /></li>
- <li>The filter can be configured the <code>tobago-config.xml</code> file.</li>
+ <li>The filter can be configured the <code>tobago-config.xml</code> file with
+ the <code class="language-markup"><sanitizer></code> tag.</li>
</ul>
+ Example for an configuration which is active by default:
+ <pre><code class="language-markup"><sanitizer>
+ <sanitizer-class>org.apache.myfaces.tobago.sanitizer.JsoupSanitizer</sanitizer-class>
+ <properties>
+ <!-- Use one of: basic, basicWithImages, relaxed, simpleText or none -->
+ <entry key="whitelist">relaxed</entry>
+ </properties>
+</sanitizer></code></pre>
</ui:composition>
diff --git a/tobago-example/tobago-example-demo/src/main/webapp/main.xhtml b/tobago-example/tobago-example-demo/src/main/webapp/main.xhtml
index e83bfbc..eb6655f 100644
--- a/tobago-example/tobago-example-demo/src/main/webapp/main.xhtml
+++ b/tobago-example/tobago-example-demo/src/main/webapp/main.xhtml
@@ -86,8 +86,6 @@
</f:facet>
<tc:out label="Theme:" value="#{themeController.localizedTheme} (#{themeController.theme.version})"/>
<tc:out label="Locale:" value="#{localeController.localizedLocale}"/>
- <tc:out label="Project Stage:" value="#{facesContext.application.projectStage}"/>
- <tc:out label="CSP mode:" value="#{tobagoConfig.contentSecurityPolicy.mode}"/>
<tc:out label="Requests:"
value="#{activityList.values[0].jsfRequest} / AJAX: #{activityList.values[0].ajaxRequest}"/>
</tc:box>
diff --git a/tobago-example/tobago-example-demo/src/main/webapp/server-info.xhtml b/tobago-example/tobago-example-demo/src/main/webapp/server-info.xhtml
index ee94d08..20be51e 100644
--- a/tobago-example/tobago-example-demo/src/main/webapp/server-info.xhtml
+++ b/tobago-example/tobago-example-demo/src/main/webapp/server-info.xhtml
@@ -27,30 +27,34 @@
<tc:section label="Main Properties">
- <tc:in value="#{serverInfo.version}" readonly="true" label="Tobago Version"/>
+ <tc:out value="#{serverInfo.version}" label="Tobago Version:"/>
- <tc:in value="#{manifestReader.buildTime}" readonly="true" label="Tobago Build Time">
+ <tc:out value="#{manifestReader.buildTime}" label="Tobago Build Time:">
<f:convertDateTime type="both"/>
- </tc:in>
+ </tc:out>
- <tc:in value="#{serverInfo.jsfTitle}" readonly="true" label="JSF Implementation"/>
+ <tc:out value="#{serverInfo.jsfTitle}" label="JSF Implementation:"/>
- <tc:in value="#{serverInfo.jsfVersion}" readonly="true" label="JSF Version"/>
+ <tc:out value="#{serverInfo.jsfVersion}" label="JSF Version:"/>
- <tc:in value="#{serverInfo.cdiTitle}" readonly="true" label="CDI Implementation"/>
+ <tc:out value="#{serverInfo.cdiTitle}" label="CDI Implementation:"/>
- <tc:in value="#{serverInfo.cdiVersion}" readonly="true" label="CDI Version"/>
+ <tc:out value="#{serverInfo.cdiVersion}" label="CDI Version:"/>
- <tc:in value="#{serverInfo.serverInfo}" readonly="true" label="Server Info"/>
+ <tc:out value="#{serverInfo.serverInfo}" label="Server Info:"/>
- <tc:in value="#{serverInfo.systemProperties['java.runtime.version']} - #{serverInfo.systemProperties['java.vm.vendor']}"
- readonly="true" label="Java"/>
+ <tc:out value="#{serverInfo.systemProperties['java.runtime.version']} - #{serverInfo.systemProperties['java.vm.vendor']}"
+ label="Java:"/>
- <tc:in
+ <tc:out
value="#{serverInfo.systemProperties['os.name']} - #{serverInfo.systemProperties['os.version']} - #{serverInfo.systemProperties['os.arch']}"
- readonly="true" label="Operating System"/>
+ label="Operating System:"/>
- <tc:segmentLayout medium="6seg 6seg" large="4seg 4seg 4seg" extraLarge="3seg 3seg 3seg">
+ <tc:out label="Project Stage:" value="#{facesContext.application.projectStage}"/>
+ <tc:out label="CSP mode:" value="#{tobagoContext.tobagoConfig.contentSecurityPolicy.mode}"/>
+ <tc:out label="CSP detail:" value="#{tobagoContext.tobagoConfig.contentSecurityPolicy.directiveMap}"/>
+
+ <tc:segmentLayout medium="6seg 6seg" large="4seg 4seg 4seg" extraLarge="3 seg 3seg 3seg">
<tc:selectBooleanCheckbox value="#{version.version20}" readonly="true" label="Version 2.0"/>
<tc:selectBooleanCheckbox value="#{version.version21}" readonly="true" label="Version 2.1"/>
<tc:selectBooleanCheckbox value="#{version.version22}" readonly="true" label="Version 2.2"/>