DELTASPIKE-1401 - Fix multiple XSS issues in ClientSideWindowStrategy
diff --git a/deltaspike/modules/jsf/impl-ee6/pom.xml b/deltaspike/modules/jsf/impl-ee6/pom.xml
index 0bb3056..2d9a109 100644
--- a/deltaspike/modules/jsf/impl-ee6/pom.xml
+++ b/deltaspike/modules/jsf/impl-ee6/pom.xml
@@ -138,6 +138,11 @@
</dependency>
<dependency>
+ <groupId>org.owasp.encoder</groupId>
+ <artifactId>encoder</artifactId>
+ </dependency>
+
+ <dependency>
<groupId>org.apache.geronimo.specs</groupId>
<artifactId>geronimo-el_2.2_spec</artifactId>
<version>1.0</version>
diff --git a/deltaspike/modules/jsf/impl/pom.xml b/deltaspike/modules/jsf/impl/pom.xml
index d3ae797..0493453 100644
--- a/deltaspike/modules/jsf/impl/pom.xml
+++ b/deltaspike/modules/jsf/impl/pom.xml
@@ -120,6 +120,11 @@
</dependency>
<dependency>
+ <groupId>org.owasp.encoder</groupId>
+ <artifactId>encoder</artifactId>
+ </dependency>
+
+ <dependency>
<groupId>org.apache.geronimo.specs</groupId>
<artifactId>geronimo-el_2.2_spec</artifactId>
<version>1.0</version>
diff --git a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/ClientSideWindowStrategy.java b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/ClientSideWindowStrategy.java
index 572da07..a18010c 100644
--- a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/ClientSideWindowStrategy.java
+++ b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/ClientSideWindowStrategy.java
@@ -118,15 +118,17 @@
// set the windowId value in the javascript code
windowHandlerHtml = windowHandlerHtml.replace(WINDOW_ID_REPLACE_PATTERN,
- windowId);
+ org.owasp.encoder.Encode.forJavaScriptBlock(windowId));
// set the current request url
// on the client we can't use window.location as the location
// could be a different when using forwards
windowHandlerHtml = windowHandlerHtml.replace(REQUEST_URL_REPLACE_PATTERN,
- ClientWindowHelper.constructRequestUrl(externalContext));
+ org.owasp.encoder.Encode.forJavaScriptBlock(
+ ClientWindowHelper.constructRequestUrl(externalContext)));
// set the noscript-URL for users with no JavaScript
windowHandlerHtml =
- windowHandlerHtml.replace(NOSCRIPT_URL_REPLACE_PATTERN, getNoscriptUrl(externalContext));
+ windowHandlerHtml.replace(NOSCRIPT_URL_REPLACE_PATTERN,
+ org.owasp.encoder.Encode.forHtmlAttribute(getNoscriptUrl(externalContext)));
OutputStream os = httpResponse.getOutputStream();
try
diff --git a/deltaspike/parent/pom.xml b/deltaspike/parent/pom.xml
index ec85019..acfbcd6 100644
--- a/deltaspike/parent/pom.xml
+++ b/deltaspike/parent/pom.xml
@@ -736,6 +736,13 @@
<scope>provided</scope>
</dependency>
+ <!-- dependency for DELTASPIKE-1401 -->
+ <dependency>
+ <groupId>org.owasp.encoder</groupId>
+ <artifactId>encoder</artifactId>
+ <version>1.2.2</version>
+ </dependency>
+
<!-- TomEE dependencies -->
<dependency>
<groupId>org.apache.openejb</groupId>
