Download
Getting Started
Members
Projects
Community
Marketplace
Events
Planet Eclipse
Newsletter
Videos
Participate
Report a Bug
Forums
Mailing Lists
Wiki
IRC
How to Contribute
Working Groups
Automotive
Internet of Things
LocationTech
Long-Term Support
PolarSys
Science
OpenMDM
More
Community
Marketplace
Events
Planet Eclipse
Newsletter
Videos
Participate
Report a Bug
Forums
Mailing Lists
Wiki
IRC
How to Contribute
Working Groups
Automotive
Internet of Things
LocationTech
Long-Term Support
PolarSys
Science
OpenMDM
Toggle navigation
Bugzilla – Attachment 97480 Details for
Bug 223980
[Webapp][Security] Unencoded strings inserted into JavaScript
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
Terms of Use
|
Copyright Agent
Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read
this important communication.
[patch]
Patch
patch223980.txt (text/plain), 10.25 KB, created by
Chris Goldthorpe
on 2008-04-24 12:01:44 EDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Chris Goldthorpe
Created:
2008-04-24 12:01:44 EDT
Size:
10.25 KB
patch
obsolete
>### Eclipse Workspace Patch 1.0 >#P org.eclipse.help.webapp >Index: advanced/workingSetManager.jsp >=================================================================== >RCS file: /cvsroot/eclipse/org.eclipse.help.webapp/advanced/workingSetManager.jsp,v >retrieving revision 1.59 >diff -u -r1.59 workingSetManager.jsp >--- advanced/workingSetManager.jsp 19 Nov 2007 22:34:46 -0000 1.59 >+++ advanced/workingSetManager.jsp 24 Apr 2008 15:57:12 -0000 >@@ -291,8 +291,8 @@ > href='#' > onclick="active=this;highlightHandler()" > ondblclick="selectWorkingSet()" >- title="<%=wsets[i]%>"> >- <%=wsets[i]%> >+ title="<%=UrlUtil.htmlEncode(wsets[i])%>"> >+ <%=UrlUtil.htmlEncode(wsets[i])%> > </a> > </td> > </tr> >Index: advanced/workingSet.jsp >=================================================================== >RCS file: /cvsroot/eclipse/org.eclipse.help.webapp/advanced/workingSet.jsp,v >retrieving revision 1.51 >diff -u -r1.51 workingSet.jsp >--- advanced/workingSet.jsp 19 Nov 2007 22:34:46 -0000 1.51 >+++ advanced/workingSet.jsp 24 Apr 2008 15:57:12 -0000 >@@ -144,7 +144,7 @@ > var plus = new Image(); > plus.src = "<%=prefs.getImagesDirectory()%>"+"/plus.gif"; > >-var oldName = '<%=data.isEditMode()?data.getWorkingSetName():""%>'; >+var oldName = '<%=data.isEditMode()?UrlUtil.JavaScriptEncode(data.getWorkingSetName()):""%>'; > var altBookClosed = "<%=UrlUtil.JavaScriptEncode(ServletResources.getString("bookClosed", request))%>"; > var altBookOpen = "<%=UrlUtil.JavaScriptEncode(ServletResources.getString("bookOpen", request))%>"; > >@@ -382,7 +382,8 @@ > <table id="wsTable" width="100%" cellspacing=0 cellpading=0 border=0 align=center > > <tr><td style="padding:5px 10px 0px 10px;"><label for="workingSet" accesskey="<%=ServletResources.getAccessKey("WorkingSetName", request)%>"><%=ServletResources.getLabel("WorkingSetName", request)%></label> > </td></tr> >- <tr><td style="padding:0px 10px;"><input type="text" id="workingSet" name="workingSet" value='<%=data.isEditMode()?data.getWorkingSetName():""%>' maxlength=256 alt='<%=ServletResources.getString("WorkingSetName", request)%>' title='<%=ServletResources.getString("WorkingSetName", request)%>' onkeyup="enableOK();return true;"> >+ <tr><td style="padding:0px 10px;"><input type="text" id="workingSet" name="workingSet" >+ value='<%=data.isEditMode()?UrlUtil.htmlEncode(data.getWorkingSetName()):""%>' maxlength=256 alt='<%=ServletResources.getString("WorkingSetName", request)%>' title='<%=ServletResources.getString("WorkingSetName", request)%>' onkeyup="enableOK();return true;"> > </td></tr> > <tr><td><div id="selectBook" style="padding-top:5px; margin-<%=isRTL?"right":"left"%>:10px;"><%=ServletResources.getString("WorkingSetContent", request)%>:</div> > </td></tr> >Index: advanced/nav.jsp >=================================================================== >RCS file: /cvsroot/eclipse/org.eclipse.help.webapp/advanced/nav.jsp,v >retrieving revision 1.39 >diff -u -r1.39 nav.jsp >--- advanced/nav.jsp 19 Nov 2007 22:34:46 -0000 1.39 >+++ advanced/nav.jsp 24 Apr 2008 15:57:12 -0000 >@@ -95,8 +95,8 @@ > </head> > > <frameset id="navFrameset" rows="*,21" framespacing="0" border="0" frameborder="0" scrolling="no"> >- <frame name="ViewsFrame" title="<%=ServletResources.getString("ignore", "ViewsFrame", request)%>" src='<%="views.jsp"+data.getQuery()%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="0" resize=yes> >- <frame name="TabsFrame" title="<%=ServletResources.getString("TabsFrame", request)%>" src='<%="tabs.jsp"+data.getQuery()%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="0" noresize> >+ <frame name="ViewsFrame" title="<%=ServletResources.getString("ignore", "ViewsFrame", request)%>" src='<%="views.jsp"+UrlUtil.htmlEncode(data.getQuery())%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="0" resize=yes> >+ <frame name="TabsFrame" title="<%=ServletResources.getString("TabsFrame", request)%>" src='<%="tabs.jsp"+UrlUtil.htmlEncode(data.getQuery())%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="0" noresize> > </frameset> > > </html> >\ No newline at end of file >Index: advanced/searchView.jsp >=================================================================== >RCS file: /cvsroot/eclipse/org.eclipse.help.webapp/advanced/searchView.jsp,v >retrieving revision 1.31 >diff -u -r1.31 searchView.jsp >--- advanced/searchView.jsp 4 Sep 2007 18:06:48 -0000 1.31 >+++ advanced/searchView.jsp 24 Apr 2008 15:57:12 -0000 >@@ -41,7 +41,7 @@ > var cookiesRequired = "<%=UrlUtil.JavaScriptEncode(ServletResources.getString("cookiesRequired", request))%>"; > > function refresh() { >- window.location.replace("searchView.jsp?<%=request.getQueryString()%>"); >+ window.location.replace("searchView.jsp?<%=UrlUtil.JavaScriptEncode(request.getQueryString())%>"); > } > > function isShowCategories() { >Index: advanced/searchScoped.jsp >=================================================================== >RCS file: /cvsroot/eclipse/org.eclipse.help.webapp/advanced/searchScoped.jsp,v >retrieving revision 1.21 >diff -u -r1.21 searchScoped.jsp >--- advanced/searchScoped.jsp 17 Oct 2007 18:04:40 -0000 1.21 >+++ advanced/searchScoped.jsp 24 Apr 2008 15:57:12 -0000 >@@ -261,8 +261,8 @@ > <a id="scopeLabel" href="javascript:openAdvanced();" title='<%=ServletResources.getString("ScopeTooltip", request)%>' alt='<%=ServletResources.getString("ScopeTooltip", request)%>' onmouseover="window.status='<%=UrlUtil.JavaScriptEncode(ServletResources.getString("ScopeTooltip", request))%>'; return true;" onmouseout="window.status='';"><%=ServletResources.getLabel("Scope", request)%></a> > </td> > <td nowrap> >- <input type="hidden" name="workingSet" value='<%=data.getScope()%>'> >- <div id="scope" ><%=data.getScope()%></div> >+ <input type="hidden" name="workingSet" value='<%=UrlUtil.htmlEncode(data.getScope())%>'> >+ <div id="scope" ><%=UrlUtil.htmlEncode(data.getScope())%></div> > </td> > </tr> > >Index: advanced/bookmarksView.jsp >=================================================================== >RCS file: /cvsroot/eclipse/org.eclipse.help.webapp/advanced/bookmarksView.jsp,v >retrieving revision 1.30 >diff -u -r1.30 bookmarksView.jsp >--- advanced/bookmarksView.jsp 2 Mar 2007 19:23:16 -0000 1.30 >+++ advanced/bookmarksView.jsp 24 Apr 2008 15:57:12 -0000 >@@ -126,7 +126,7 @@ > <tr class='list' id='r<%=i%>'> > <td align='<%=isRTL?"right":"left"%>' class='label' nowrap> > <a id='a<%=i%>' >- href='<%=bookmarks[i].getHref()%>' >+ href='<%=UrlUtil.htmlEncode(bookmarks[i].getHref())%>' > onmouseover="showStatus(event);return true;" > onmouseout="clearStatus();return true;" > oncontextmenu="contextMenuHandler(event);return false;" >Index: advanced/content.jsp >=================================================================== >RCS file: /cvsroot/eclipse/org.eclipse.help.webapp/advanced/content.jsp,v >retrieving revision 1.30 >diff -u -r1.30 content.jsp >--- advanced/content.jsp 19 Nov 2007 22:34:46 -0000 1.30 >+++ advanced/content.jsp 24 Apr 2008 15:57:12 -0000 >@@ -47,7 +47,7 @@ > > <frameset id="contentFrameset" rows="24,*" frameborder="0" framespacing="0" border=0 spacing=0> > <frame name="ContentToolbarFrame" title="<%=ServletResources.getString("topicViewToolbar", request)%>" src='<%="contentToolbar.jsp"+data.getQuery()%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="0" noresize=0> >- <frame ACCESSKEY="K" name="ContentViewFrame" title="<%=ServletResources.getString("topicView", request)%>" src='<%=data.getContentURL()%>' marginwidth="10"<%=(data.isIE() && "6.0".compareTo(data.getIEVersion()) <=0)?"scrolling=\"yes\"":""%> marginheight="0" frameborder="0" > >+ <frame ACCESSKEY="K" name="ContentViewFrame" title="<%=ServletResources.getString("topicView", request)%>" src='<%=UrlUtil.htmlEncode(data.getContentURL())%>' marginwidth="10"<%=(data.isIE() && "6.0".compareTo(data.getIEVersion()) <=0)?"scrolling=\"yes\"":""%> marginheight="0" frameborder="0" > > </frameset> > > </html> >Index: advanced/help.jsp >=================================================================== >RCS file: /cvsroot/eclipse/org.eclipse.help.webapp/advanced/help.jsp,v >retrieving revision 1.26 >diff -u -r1.26 help.jsp >--- advanced/help.jsp 19 Nov 2007 22:34:46 -0000 1.26 >+++ advanced/help.jsp 24 Apr 2008 15:57:12 -0000 >@@ -133,13 +133,13 @@ > <% > if (isRTL) { > %> >- <frame name="ContentFrame" title="<%=ServletResources.getString("ignore", "ContentFrame", request)%>" class="content" src='<%="content.jsp"+data.getQuery()%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="0" resize=yes> >- <frame class="nav" name="NavFrame" title="<%=ServletResources.getString("ignore", "NavFrame", request)%>" src='<%="nav.jsp"+data.getQuery()%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="1" resize=yes> >+ <frame name="ContentFrame" title="<%=ServletResources.getString("ignore", "ContentFrame", request)%>" class="content" src='<%="content.jsp"+UrlUtil.htmlEncode(data.getQuery())%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="0" resize=yes> >+ <frame class="nav" name="NavFrame" title="<%=ServletResources.getString("ignore", "NavFrame", request)%>" src='<%="nav.jsp"+UrlUtil.htmlEncode(data.getQuery())%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="1" resize=yes> > <% > } else { > %> >- <frame class="nav" name="NavFrame" title="<%=ServletResources.getString("ignore", "NavFrame", request)%>" src='<%="nav.jsp"+data.getQuery()%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="1" resize=yes> >- <frame name="ContentFrame" title="<%=ServletResources.getString("ignore", "ContentFrame", request)%>" class="content" src='<%="content.jsp"+data.getQuery()%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="0" resize=yes> >+ <frame class="nav" name="NavFrame" title="<%=ServletResources.getString("ignore", "NavFrame", request)%>" src='<%="nav.jsp"+UrlUtil.htmlEncode(data.getQuery())%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="1" resize=yes> >+ <frame name="ContentFrame" title="<%=ServletResources.getString("ignore", "ContentFrame", request)%>" class="content" src='<%="content.jsp"+UrlUtil.htmlEncode(data.getQuery())%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="0" resize=yes> > <% > } > %>
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 223980
: 97480