Bug 793952 (JBEPP-1023)

Summary:

Gadget source is escaped in editor

Product:

[JBoss] JBoss Enterprise Portal Platform 5

Reporter:

Michal Vanco <mvanco>

Component:

unspecified

Assignee:

hfnukal <hfnukal>

Status:

CLOSED NEXTRELEASE

QA Contact:

Severity:

high

Docs Contact:

Priority:

high

Version:

5.1.1.CR01

CC:

epp-bugs, hfnukal, mvecera, theute, tkyjovsk

Target Milestone:

---

Target Release:

5.1.1.GA

Hardware:

Unspecified

OS:

Unspecified

URL:

http://jira.jboss.org/jira/browse/JBEPP-1023

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

EPP5.1.1 CR01

Last Closed:

2011-08-02 05:54:44 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Attachments:

Description	Flags
gadget-escaped.png	none
gadget-escaped2.png	none
editing-wcm-templates.png	none

Description Michal Vanco 2011-07-25 12:36:40 UTC

Affects: Release Notes
project_key: JBEPP

Source of gadget is escaped in editor and thus can't be saved -> "This source is invalid gadget specification."

To reproduce:
   - go to App.registry -> Gadget
1) - click Create a new gadget -> source is escaped with &lt; &gt; &quot; and can't be saved (screen 1)
(SampleGadget.groovy contains valid html source of gadget)
2) - edit any existing gadget -> source is escaped as well (screen 2)

It's possible to save gadget only after changing all special characters.
It seems that escaping happens when source is loaded in editor.

Comment 1 Michal Vanco 2011-07-25 12:37:07 UTC

Attachment: Added: gadget-escaped.png
Attachment: Added: gadget-escaped2.png

Comment 2 Michal Vanco 2011-07-25 12:38:01 UTC

Link: Added: This issue relates to JBQA-4899

Comment 3 Tomas Kyjovsky 2011-07-25 13:08:14 UTC

This issue also affects the WCM extension as it relies on groovy templates for content presentation and editing.

Comment 4 Tomas Kyjovsky 2011-07-25 13:08:14 UTC

Attachment: Added: editing-wcm-templates.png

Comment 5 Michal Vanco 2011-07-25 13:26:54 UTC

Link: Added: This issue relates to GTNPORTAL-1967

Comment 6 Tomas Kyjovsky 2011-07-25 13:39:58 UTC

Probably caused by: GTNPORTAL-1955

Comment 7 Tomas Kyjovsky 2011-07-25 13:45:45 UTC

Link: Added: This issue relates to GTNPORTAL-1955

Comment 9 hfnukal@redhat.com 2011-07-26 13:33:41 UTC

I investigate more on this and it seem like it is encoded twice.

IMHO right place where to encode value is when rendering as this is UI component responsibility.
On the other hand, this component is used by many others, and some pass value encoded, some not.

Eg:

In UIGadgetEditor is this method and it encodes value, this cause double encoding:

  public void processRender(WebuiRequestContext context) throws Exception
  {
     UIFormTextAreaInput uiInputSource = getUIFormTextAreaInput(FIELD_SOURCE);
     UIFormStringInput uiInputName = getUIStringInput(FIELD_NAME);
     String encoded = StringEscapeUtils.escapeHtml(StringEscapeUtils.unescapeHtml(uiInputSource.getValue()));
     uiInputSource.setValue(encoded);
     if(this.isEdit()) {
   	  uiInputName.setEditable(false);
     }

     super.processRender(context);
  }

There is probably more code like this, I thin the best is clean it up here.
Unfortunately it is probably in SP in similar way too.

If we disable encoding in UIFormTextAreaInput, it will fix double encoding, but enable XSS where it is not encoded.

Comment 10 hfnukal@redhat.com 2011-08-01 11:12:10 UTC

Removing org.gatein.common.text.EntityEncoder

Comment 11 hfnukal@redhat.com 2011-08-01 11:12:10 UTC

Link: Added: This issue is related to JBEPP-1028

Comment 12 hfnukal@redhat.com 2011-08-02 05:46:47 UTC

Link: Added: This issue relates to JBEPP-997

Comment 13 Scott Mumford 2011-08-09 04:20:37 UTC

Release Notes Docs Status: Added: Not Required

Comment 14 Scott Mumford 2011-08-09 05:19:06 UTC

Release Notes Docs Status: Removed: Not Required Added: Needs More Info
Release Notes Text: Added: This issue requires more information about how it was resolved if it requires a 5.1.1 Release Note.

Comment 15 Michal Vanco 2011-08-24 12:27:58 UTC

Release Notes Text: Removed: This issue requires more information about how it was resolved if it requires a 5.1.1 Release Note. Added: Issue was a side effect of fix for JBEPP-997 (XSS vulnerability) which affected all textarea inputs. It caused the status when value in text area was encoded twice (thus can not be saved because invalid format).
Change was done at related issue and content in gadget editor is now properly encoded.
Affects: Added: [Release Notes]

Comment 16 Scott Mumford 2011-08-25 03:18:40 UTC

Release Notes Text: Removed: Issue was a side effect of fix for JBEPP-997 (XSS vulnerability) which affected all textarea inputs. It caused the status when value in text area was encoded twice (thus can not be saved because invalid format).
Change was done at related issue and content in gadget editor is now properly encoded. Added: A fix that was implemented to resolve an XSS vulnerabily, affected all textarea inputs and caused any gadget source code entered into the App Registry to be escaped with <> characters and rendered invalid to the portal. This prevented new gadgets being added to the portal as ell as preventing any changes being made to existing gadgets. The underlying issue was resolved in a fix for another bug and as a result this issue no longer presents.

Comment 17 Thomas Heute 2011-08-31 11:14:48 UTC

Release Notes Docs Status: Removed: Needs More Info Added: Not Required

Comment 18 hfnukal@redhat.com 2011-08-31 15:40:33 UTC

Link: Added: This issue is related to GTNPORTAL-2073