JSF SelectItem和转义(xss) [英] JSF SelectItems and escaping (xss)

问题描述

在我的示例中有一个带有f:selectItems属性的selectOneMenu.选择项目是从我的bean像这样解析的:

there is a selectOneMenu in my example with a f:selectItems-attribute. The select-items are resolved from my bean like this:

<h:selectOneMenu value="#{bean.value}">
    <f:selectItems value="#{bean.selectItems}" var="obj" itemValue="#{obj}" itemLabel="#{obj.name}"/>
</h:selectOneMenu>

我的bean中的方法getSelectItems()看起来像这样:

The method getSelectItems() in my bean looks like that:

    public List<MyObject> getSelectItems() {
        List<MyObject> list = new LinkedList<MyObject>();

        MyObject obj = new MyObject("Peter");
        list.add(obj);

        return list;
    }

显示的对象是具有属性名称"的简单对象.

The objects that are displayed are simple objects with a attribute "name".

到目前为止，没有什么特别的.但是现在我将方法更改为:

Nothing special up to this point. But now i change my method to that:

 public List<MyObject> getSelectItems() {
        List<MyObject> list = new LinkedList<MyObject>();

        MyObject obj = new MyObject("<script>alert('xss is bad');</script>");
        list.add(obj);

        return list;
    }

MenuRenderer-Class无法逃脱JavaScript，并且我的页面向我显示警报消息.

The javascript doesn´t get escaped by MenuRenderer-Class and my page shows me the alert-message.

是否有任何原因导致SelectItem的转义属性的默认值为"false"? 我该如何解决这个问题? (我使用Mojarra 2.1.7)

Is there any cause why the default value of the escape-attribute of SelectItem is "false"? How can i fix that problem? (I use Mojarra 2.1.7)

推荐答案

默认值实际上不应该是false.我将其报告为问题2747 .

The default should indeed not have been false. I've reported it as issue 2747.

与此同时，添加itemLabelEscaped="true"仍可以对其进行转义.

In the meanwhile, add itemLabelEscaped="true" to escape it anyway.

<f:selectItems ... itemLabelEscaped="true" />

请注意，只有在使用GenericObjectSelectItems时，即在提供E[]/List<E>/Map<K, V>而不是List<SelectItem>/SelectItem[]时，才需要这样做.还请注意，转义仅在涉及用户控制的输入时才是绝对强制性的(幸运的是，下拉列表中很少发生这种情况).

Note that this is only necessary when you're using GenericObjectSelectItems, i.e. when you're supplying a E[]/List<E>/Map<K, V> instead of List<SelectItem>/SelectItem[]. Also note that escaping is only absolutely mandatory when it concerns user-controlled input (which is fortunately very rarely the case in dropdown values).

这篇关于JSF SelectItem和转义(xss)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！