dev@javaserverfaces.java.net

OutputText not encoding output

From: Alvaro <alvaro.picapau_at_gmail.com>
Date: Thu, 16 Jan 2014 19:35:30 +0100

Hi,

Just verified that it also affects 2.2.5

Cheers,
A

Moving conversation to dev_at_javaserverfaces.java.net

Hi Alvaro,

Can you please file an issue on the issue tracker?

Can you verify it is also not fixed in 2.2.5 as that is our latest 2.2
release.

Thanks!

Manfred


On 1/16/14, 11:55 AM, alvaro.picapau_at_gmail.com wrote:
Hi guys,

This morning I found that<h:outputText /> was not escaping its value.
After some WTFs and debugging it I found that it only happens when
there is a<script> block above. But its not just outputContext, also
the raw EL is affected. In the following snippet, cases 4,5,6 are not
escaped:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml"
       xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:f="http://java.sun.com/jsf/core"
       xmlns:h="http://java.sun.com/jsf/html">

<h:outputText name="id" id="id" value="#{param['id']}"></h:out
>
> putText>
> <!-- Case 2-->
> <h:inputHidden name="id" id="id"
> value="#{param['id']}"></h:inputHidden>
> <!-- Case 3 -->
> <input type="hidden" name="id" id="id" value="#{param['id']}"/>
> #{param['id']}
> <script>
> // case 4
> var paramId = #{param['id2']};
> // case 5
> var paramIdd = "<h:outputText value="#{param['id3']}" />";
> </script>
> <!-- Case 6 -->
> #{param['id4']}
> </html>
>
> I searched the web and found
> https://java.net/jira/browse/JAVASERVERFACES-2503 saying it was a bug
> in 2.1.12, but I tried 2.1.13 and 2.2.4 and Im still getting this
> behaviour.
>
> My relevant parts of the pom:
> <dependency>
> <groupId>com.sun.faces</groupId>
> <artifactId>jsf-api</artifactId>
> <version>2.2.4</version>
> </dependency>
> <dependency>
> <groupId>com.sun.faces</groupId>
> <artifactId>jsf-impl</artifactId>
> <version>2.2.4</version>
> </dependency>
>
> Am I missing something?
> This is quite serious for developers thinking their data is escaped and
> XSS free!
>
> Thanks,
> Alvaro