Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 223980

Summary: [Webapp][Security] Unencoded strings inserted into JavaScript
Product: [Eclipse Project] Platform Reporter: Chris Goldthorpe <cgold>
Component: User AssistanceAssignee: platform-ua-inbox <platform-ua-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: benysh, bokowski, maguirem, zhouyiy
Version: 3.4   
Target Milestone: 3.4 M7   
Hardware: PC   
OS: Windows XP   
Whiteboard:
Attachments:
Description Flags
Patch none

Description Chris Goldthorpe CLA 2008-03-25 17:06:57 EDT 
I20080318-0800

There are a number of places in the help jsp files where character strings are inserted into JavaScript without encoding them first. Here is an example from workingSet.jsp. If these variables contained a quote or various other characters it would cause the JavaScript to have errors.

var oldName = '<%=data.isEditMode()?data.getWorkingSetName():""%>';

It would be better if all such strings in the jsp files be escaped using UrlUtil.JavaScriptEncode.
Comment 1 Chris Goldthorpe CLA 2008-04-24 12:01:44 EDT 
Created attachment 97480 [details]
Patch

I reviewed all the sources looking for places where unescaped strings were inserted into jsp files and found several which needed to be fixed. This patch fixes all of the problems of non escaping that I could find.
Comment 2 Chris Goldthorpe CLA 2008-04-24 12:03:50 EDT 
Fixed in HEAD
Comment 3 Chris Goldthorpe CLA 2008-11-07 14:36:31 EST 
*** Bug 254575 has been marked as a duplicate of this bug. ***