inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-07 17:49:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fixed ETHREEOH-2888 "Incorrect system behavior on creating group with XSS in ASCII code and actions with it."

Browse Source 
- Id is now decoded in the action links
- Added nodeName validator to webclient for groupids (and username) since that is what is used in share (means that "<" and ">" characters now are forbidden)

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@16958 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Erik Winlof
2009-10-15 11:57:59 +00:00
parent c350b0140a
commit edf3bf9d3f
3 changed files with 53 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
source/java/org/alfresco/web/ui/common/Utils.java
View File

@@ -270,6 +270,10 @@ public final class Utils extends StringUtils
buf.append(name); buf.append(name);
buf.append("'].value='"); buf.append("'].value='");
String val = params.get(name); String val = params.get(name);
if(val != null)
{
val = Utils.encode(val);
}
val = replace(val, "\\", "\\\\"); // encode escape character val = replace(val, "\\", "\\\\"); // encode escape character
val = replace(val, "'", "\\'"); // encode single quote as we wrap string with that val = replace(val, "'", "\\'"); // encode single quote as we wrap string with that
buf.append(val); buf.append(val);

25
source/web/jsp/groups/new-group.jsp
View File

@@ -32,12 +32,16 @@
<%@ page import="org.alfresco.web.ui.common.PanelGenerator" %> <%@ page import="org.alfresco.web.ui.common.PanelGenerator" %>
<f:verbatim> <f:verbatim>
<script type="text/javascript" src="<%=request.getContextPath()%>/scripts/validation.js"> </script>
<script type="text/javascript"> <script type="text/javascript">
var finishButtonPressed = false;
window.onload = pageLoaded; window.onload = pageLoaded;
function pageLoaded() function pageLoaded()
{ {
document.getElementById("dialog:dialog-body:name").focus(); document.getElementById("dialog:dialog-body:name").focus();
document.getElementById("dialog").onsubmit = validate;
document.getElementById("dialog:finish-button").onclick = function() {finishButtonPressed = true;}
checkButtonState(); checkButtonState();
} }
@@ -52,8 +56,27 @@
document.getElementById("dialog:finish-button").disabled = false; document.getElementById("dialog:finish-button").disabled = false;
} }
} }
</script>
function validate()
{
if (finishButtonPressed)
{
finishButtonPressed = false;
var message = (window.gecko) ? $("dialog:dialog-body:validation_invalid_character").textContent : $("dialog:dialog-body:validation_invalid_character").innerText;
return validateName(document.getElementById("dialog:dialog-body:name"),
message,
true);
}
else
{
return true;
}
}
</script>
<h:outputText id="validation_invalid_character" style="display:none" value="#{msg.validation_invalid_character}" />
<table cellpadding="2" cellspacing="2" border="0" width="100%"> <table cellpadding="2" cellspacing="2" border="0" width="100%">
<tr> <tr>
<td colspan="2" class="wizardSectionHeading"></f:verbatim><h:outputText value="#{msg.group_props}" /><f:verbatim></td> <td colspan="2" class="wizardSectionHeading"></f:verbatim><h:outputText value="#{msg.group_props}" /><f:verbatim></td>

26
source/web/jsp/users/new-user-wizard/new-user-properties.jsp
View File

@@ -29,8 +29,11 @@
<%@ taglib uri="/WEB-INF/repo.tld" prefix="r" %> <%@ taglib uri="/WEB-INF/repo.tld" prefix="r" %>
<f:verbatim> <f:verbatim>
<script type="text/javascript" src="<%=request.getContextPath()%>/scripts/validation.js"> </script>
<script type="text/javascript"> <script type="text/javascript">
var finishButtonPressed = false;
window.onload = pageLoaded; window.onload = pageLoaded;
function pageLoaded() function pageLoaded()
@@ -39,6 +42,9 @@ function pageLoaded()
document.getElementById("wizard:wizard-body:userName").disabled == false) document.getElementById("wizard:wizard-body:userName").disabled == false)
{ {
document.getElementById("wizard:wizard-body:userName").focus(); document.getElementById("wizard:wizard-body:userName").focus();
document.getElementById("wizard").onsubmit = validate;
document.getElementById("wizard:finish-button").onclick = function() {finishButtonPressed = true;}
document.getElementById("wizard:next-button").onclick = function() {finishButtonPressed = true;}
} }
else else
{ {
@@ -46,7 +52,6 @@ function pageLoaded()
} }
updateButtonState(); updateButtonState();
} }
function updateButtonState() function updateButtonState()
{ {
if (document.getElementById("wizard:wizard-body:password") != null && if (document.getElementById("wizard:wizard-body:password") != null &&
@@ -71,7 +76,26 @@ function updateButtonState()
document.getElementById("wizard:next-button").disabled = false; document.getElementById("wizard:next-button").disabled = false;
} }
} }
function validate()
{
if (finishButtonPressed)
{
finishButtonPressed = false;
var message = (window.gecko) ? $("wizard:wizard-body:validation_invalid_character").textContent : $("wizard:wizard-body:validation_invalid_character").innerText;
return validateName(document.getElementById("wizard:wizard-body:userName"),
message,
true);
}
else
{
return true;
}
}
</script> </script>
<h:outputText id="validation_invalid_character" style="display:none" value="#{msg.validation_invalid_character}" />
</f:verbatim> </f:verbatim>
<h:panelGrid columns="1" cellpadding="2" style="padding-top: 4px; padding-bottom: 4px;" <h:panelGrid columns="1" cellpadding="2" style="padding-top: 4px; padding-bottom: 4px;"