Moving conversation to dev_at_javaserverfaces.java.net
Hi Alvaro,
Can you please file an issue on the issue tracker?
Can you verify it is also not fixed in 2.2.5 as that is our latest 2.2
release.
Thanks!
Manfred
On 1/16/14, 11:55 AM, alvaro.picapau_at_gmail.com wrote:
> Hi guys,
>
> This morning I found that<h:outputText /> was not escaping its value.
> After some WTFs and debugging it I found that it only happens when
> there is a<script> block above. But its not just outputContext, also
> the raw EL is affected. In the following snippet, cases 4,5,6 are not
> escaped:
>
> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
>
> <html xmlns="http://www.w3.org/1999/xhtml"
> xmlns:ui="http://java.sun.com/jsf/facelets"
> xmlns:f="http://java.sun.com/jsf/core"
> xmlns:h="http://java.sun.com/jsf/html">
>
> <h:outputText name="id" id="id" value="#{param['id']}"></h:outputText>
> <!-- Case 2-->
> <h:inputHidden name="id" id="id"
> value="#{param['id']}"></h:inputHidden>
> <!-- Case 3 -->
> <input type="hidden" name="id" id="id" value="#{param['id']}"/>
> #{param['id']}
> <script>
> // case 4
> var paramId = #{param['id2']};
> // case 5
> var paramIdd = "<h:outputText value="#{param['id3']}" />";
> </script>
> <!-- Case 6 -->
> #{param['id4']}
> </html>
>
> I searched the web and found
> https://java.net/jira/browse/JAVASERVERFACES-2503 saying it was a bug
> in 2.1.12, but I tried 2.1.13 and 2.2.4 and Im still getting this
> behaviour.
>
> My relevant parts of the pom:
> <dependency>
> <groupId>com.sun.faces</groupId>
> <artifactId>jsf-api</artifactId>
> <version>2.2.4</version>
> </dependency>
> <dependency>
> <groupId>com.sun.faces</groupId>
> <artifactId>jsf-impl</artifactId>
> <version>2.2.4</version>
> </dependency>
>
> Am I missing something?
> This is quite serious for developers thinking their data is escaped and
> XSS free!
>
> Thanks,
> Alvaro