dev@javaserverfaces.java.net

Re: OutputText not encoding output

From: Alvaro <alvaro_at_pwntester.com>
Date: Thu, 16 Jan 2014 20:03:20 +0100

Hi,

Just verified it also affects 2.2.5

Cheers,
A

Blog: www.pwntester.com
Twitter: @pwntester


Blog: www.pwntester.com
Twitter: @pwntester


On Thu, Jan 16, 2014 at 7:02 PM, manfred riem <manfred.riem_at_oracle.com>wrote:

> Moving conversation to dev_at_javaserverfaces.java.net
>
> Hi Alvaro,
>
> Can you please file an issue on the issue tracker?
>
> Can you verify it is also not fixed in 2.2.5 as that is our latest 2.2
> release.
>
> Thanks!
> Manfred
>
>
>
> On 1/16/14, 11:55 AM, alvaro.picapau_at_gmail.com wrote:
>
>> Hi guys,
>>
>> This morning I found that<h:outputText /> was not escaping its value.
>> After some WTFs and debugging it I found that it only happens when
>> there is a<script> block above. But its not just outputContext, also
>> the raw EL is affected. In the following snippet, cases 4,5,6 are not
>> escaped:
>>
>> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
>> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
>>
>> <html xmlns="http://www.w3.org/1999/xhtml"
>> xmlns:ui="http://java.sun.com/jsf/facelets"
>> xmlns:f="http://java.sun.com/jsf/core"
>> xmlns:h="http://java.sun.com/jsf/html">
>>
>> <h:outputText name="id" id="id" value="#{param['id']}"></h:outputText>
>> <!-- Case 2-->
>> <h:inputHidden name="id" id="id"
>> value="#{param['id']}"></h:inputHidden>
>> <!-- Case 3 -->
>> <input type="hidden" name="id" id="id" value="#{param['id']}"/>
>> #{param['id']}
>> <script>
>> // case 4
>> var paramId = #{param['id2']};
>> // case 5
>> var paramIdd = "<h:outputText value="#{param['id3']}" />";
>> </script>
>> <!-- Case 6 -->
>> #{param['id4']}
>> </html>
>>
>> I searched the web and found
>> https://java.net/jira/browse/JAVASERVERFACES-2503 saying it was a bug
>> in 2.1.12, but I tried 2.1.13 and 2.2.4 and Im still getting this
>> behaviour.
>>
>> My relevant parts of the pom:
>> <dependency>
>> <groupId>com.sun.faces</groupId>
>> <artifactId>jsf-api</artifactId>
>> <version>2.2.4</version>
>> </dependency>
>> <dependency>
>> <groupId>com.sun.faces</groupId>
>> <artifactId>jsf-impl</artifactId>
>> <version>2.2.4</version>
>> </dependency>
>>
>> Am I missing something?
>> This is quite serious for developers thinking their data is escaped and
>> XSS free!
>>
>> Thanks,
>> Alvaro
>>
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.