commit | d95abe8c01d256da2ce0a5a88f4593138156a4e5 | [log] [tgz] |
---|---|---|
author | Mark Struberg <struberg@apache.org> | Sat Dec 30 10:55:20 2017 +0100 |
committer | Mark Struberg <struberg@apache.org> | Sat Dec 30 10:55:20 2017 +0100 |
tree | ecb9ef6937d41790dcd64a1f4619ccffb4f151b8 | |
parent | f271b6ac792e43e863f0f84c6a2fa1adae335ae3 [diff] |
DELTASPIKE-1307 improve sanitise windowId Also guard against html injection
diff --git a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java index f98bdc7..dc621c1 100644 --- a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java +++ b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java
@@ -98,12 +98,12 @@ /** * We have to escape some characters to make sure we do not open - * any XSS vectors. E.g. replace () etc to - * prevent attackers from injecting JavaScript function calls. + * any XSS vectors. E.g. replace (,<, & etc to + * prevent attackers from injecting JavaScript function calls or html. */ protected String sanitiseWindowId(String windowId) { - return windowId.replace('(', '_'); + return windowId.replace('(', '_').replace('<', '_').replace('&', '_'); } protected abstract String getOrCreateWindowId(FacesContext facesContext);