You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@deltaspike.apache.org by st...@apache.org on 2017/12/30 09:56:06 UTC

deltaspike git commit: DELTASPIKE-1307 improve sanitise windowId

Repository: deltaspike
Updated Branches:
  refs/heads/master f271b6ac7 -> d95abe8c0


DELTASPIKE-1307 improve sanitise windowId

Also guard against html injection


Project: http://git-wip-us.apache.org/repos/asf/deltaspike/repo
Commit: http://git-wip-us.apache.org/repos/asf/deltaspike/commit/d95abe8c
Tree: http://git-wip-us.apache.org/repos/asf/deltaspike/tree/d95abe8c
Diff: http://git-wip-us.apache.org/repos/asf/deltaspike/diff/d95abe8c

Branch: refs/heads/master
Commit: d95abe8c01d256da2ce0a5a88f4593138156a4e5
Parents: f271b6a
Author: Mark Struberg <st...@apache.org>
Authored: Sat Dec 30 10:55:20 2017 +0100
Committer: Mark Struberg <st...@apache.org>
Committed: Sat Dec 30 10:55:20 2017 +0100

----------------------------------------------------------------------
 .../scope/window/strategy/AbstractClientWindowStrategy.java    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/deltaspike/blob/d95abe8c/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java
----------------------------------------------------------------------
diff --git a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java
index f98bdc7..dc621c1 100644
--- a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java
+++ b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java
@@ -98,12 +98,12 @@ public abstract class AbstractClientWindowStrategy implements ClientWindow
 
     /**
      * We have to escape some characters to make sure we do not open
-     * any XSS vectors. E.g. replace () etc to
-     * prevent attackers from injecting JavaScript function calls.
+     * any XSS vectors. E.g. replace (,<, & etc to
+     * prevent attackers from injecting JavaScript function calls or html.
      */
     protected String sanitiseWindowId(String windowId)
     {
-        return windowId.replace('(', '_');
+        return windowId.replace('(', '_').replace('<', '_').replace('&', '_');
     }
 
     protected abstract String getOrCreateWindowId(FacesContext facesContext);