DELTASPIKE-1307 improve sanitise windowId Also guard against html injection

commit: d95abe8c01d256da2ce0a5a88f4593138156a4e5 [log] [tgz]
author: Mark Struberg <struberg@apache.org> Sat Dec 30 10:55:20 2017 +0100
committer: Mark Struberg <struberg@apache.org> Sat Dec 30 10:55:20 2017 +0100
tree: ecb9ef6937d41790dcd64a1f4619ccffb4f151b8
parent: f271b6ac792e43e863f0f84c6a2fa1adae335ae3 [diff]
diff --git a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java
index f98bdc7..dc621c1 100644
--- a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java
+++ b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java

@@ -98,12 +98,12 @@
 
     /**
      * We have to escape some characters to make sure we do not open
-     * any XSS vectors. E.g. replace () etc to
-     * prevent attackers from injecting JavaScript function calls.
+     * any XSS vectors. E.g. replace (,<, & etc to
+     * prevent attackers from injecting JavaScript function calls or html.
      */
     protected String sanitiseWindowId(String windowId)
     {
-        return windowId.replace('(', '_');
+        return windowId.replace('(', '_').replace('<', '_').replace('&', '_');
     }
 
     protected abstract String getOrCreateWindowId(FacesContext facesContext);
commit	d95abe8c01d256da2ce0a5a88f4593138156a4e5	[log] [tgz]
author	Mark Struberg <struberg@apache.org>	Sat Dec 30 10:55:20 2017 +0100
committer	Mark Struberg <struberg@apache.org>	Sat Dec 30 10:55:20 2017 +0100
tree	ecb9ef6937d41790dcd64a1f4619ccffb4f151b8
parent	f271b6ac792e43e863f0f84c6a2fa1adae335ae3 [diff]