Skip to content

Commit

Permalink
DELTASPIKE-1401 - Fix multiple XSS issues in ClientSideWindowStrategy
Browse files Browse the repository at this point in the history
  • Loading branch information
beikov committed Jan 16, 2020
1 parent 263fb91 commit 5383f44
Show file tree
Hide file tree
Showing 4 changed files with 22 additions and 3 deletions.
5 changes: 5 additions & 0 deletions deltaspike/modules/jsf/impl-ee6/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,11 @@
<artifactId>deltaspike-proxy-module-impl-asm</artifactId>
</dependency>

<dependency>
<groupId>org.owasp.encoder</groupId>
<artifactId>encoder</artifactId>
</dependency>

<dependency>
<groupId>org.apache.geronimo.specs</groupId>
<artifactId>geronimo-el_2.2_spec</artifactId>
Expand Down
5 changes: 5 additions & 0 deletions deltaspike/modules/jsf/impl/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,11 @@
<artifactId>deltaspike-proxy-module-impl-asm</artifactId>
</dependency>

<dependency>
<groupId>org.owasp.encoder</groupId>
<artifactId>encoder</artifactId>
</dependency>

<dependency>
<groupId>org.apache.geronimo.specs</groupId>
<artifactId>geronimo-el_2.2_spec</artifactId>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -118,15 +118,17 @@ protected void sendWindowHandlerHtml(ExternalContext externalContext, String win

// set the windowId value in the javascript code
windowHandlerHtml = windowHandlerHtml.replace(WINDOW_ID_REPLACE_PATTERN,
windowId);
org.owasp.encoder.Encode.forJavaScriptBlock(windowId));
// set the current request url
// on the client we can't use window.location as the location
// could be a different when using forwards
windowHandlerHtml = windowHandlerHtml.replace(REQUEST_URL_REPLACE_PATTERN,
ClientWindowHelper.constructRequestUrl(externalContext));
org.owasp.encoder.Encode.forJavaScriptBlock(
ClientWindowHelper.constructRequestUrl(externalContext)));
// set the noscript-URL for users with no JavaScript
windowHandlerHtml =
windowHandlerHtml.replace(NOSCRIPT_URL_REPLACE_PATTERN, getNoscriptUrl(externalContext));
windowHandlerHtml.replace(NOSCRIPT_URL_REPLACE_PATTERN,
org.owasp.encoder.Encode.forHtmlAttribute(getNoscriptUrl(externalContext)));

OutputStream os = httpResponse.getOutputStream();
try
Expand Down
7 changes: 7 additions & 0 deletions deltaspike/parent/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -736,6 +736,13 @@
<scope>provided</scope>
</dependency>

<!-- dependency for DELTASPIKE-1401 -->
<dependency>
<groupId>org.owasp.encoder</groupId>
<artifactId>encoder</artifactId>
<version>1.2.2</version>
</dependency>

<!-- TomEE dependencies -->
<dependency>
<groupId>org.apache.openejb</groupId>
Expand Down

0 comments on commit 5383f44

Please sign in to comment.