Bug 532688 - Dom based cross site scripting in generated code by Lyo
Code Generator
modified delegatedUI.js to escape urls to avoid escapeCSSAttacks.
Change-Id: I05f464f62ddebd5a0cc2038e88169ba68f8e60cc
Also-By: Rahul Singh <rahsingh@us.ibm.com>
Signed-off-by: Jad El-khoury <jad@kth.se>
diff --git a/org.eclipse.lyo.oslc4j.codegenerator/src/org/eclipse/lyo/oslc4j/codegenerator/jsp/generateDelegatedUIJavaScripts.mtl b/org.eclipse.lyo.oslc4j.codegenerator/src/org/eclipse/lyo/oslc4j/codegenerator/jsp/generateDelegatedUIJavaScripts.mtl
index d6f1600..1e9ebf8 100644
--- a/org.eclipse.lyo.oslc4j.codegenerator/src/org/eclipse/lyo/oslc4j/codegenerator/jsp/generateDelegatedUIJavaScripts.mtl
+++ b/org.eclipse.lyo.oslc4j.codegenerator/src/org/eclipse/lyo/oslc4j/codegenerator/jsp/generateDelegatedUIJavaScripts.mtl
@@ -162,7 +162,7 @@
function respondWithWindowName(/*string*/ response) {
- var returnURL = window.name;
+ var returnURL = escapeCSSAttack(window.name);
window.name = response;
window.location.href = returnURL;
@@ -179,5 +179,23 @@
function cancel(){
sendCancelResponse();
}
+
+function escapeCSSAttack(url) {
+ var out = "";
+ for(var i=0; i<url.length; i++) {
+ if(url['[i]'/] === '<') {
+ out += '&lt;';
+ } else if(url['[i]'/] === '>') {
+ out += '&gt;';
+ } else if(url['[i]'/] === "'") {
+ out += '&#39;';
+ } else if(url['[i]'/] === '"') {
+ out += '&quot;';
+ } else {
+ out += url['[i]'/];
+ }
+ }
+ return out;
+}
[/file]
[/template]