Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 280166

Summary: [CLabel] script injection vulnerability
Product: [RT] RAP Reporter: Rüdiger Herrmann <ruediger.herrmann>
Component: RWTAssignee: Project Inbox <rap-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: P3 CC: elias
Version: 1.0Flags: ruediger.herrmann: review? (rsternberg)
Target Milestone: 1.2   
Hardware: All   
OS: All   
Whiteboard:
Bug Depends on:    
Bug Blocks: 280142    
Attachments:
Description Flags
Bugfix - escapes text before it is sent to the client none

Description Rüdiger Herrmann CLA 2009-06-13 07:04:08 EDT 
If a string shown in the CLabel contains JS-code, this will be executed in the browser. 
For example:
  label.setText( "<script>alert(\"huhu from the darkside\");</script>" );

This seems to be browser specific:
* in FF 3.0.8 – script executes
* in IE 8 – script does not execute
Comment 1 Rüdiger Herrmann CLA 2009-06-13 07:06:19 EDT 
Created attachment 139096 [details]
Bugfix - escapes text before it is sent to the client
Comment 2 Ralf Sternberg CLA 2009-06-14 11:08:09 EDT 
The second argument to WidgetLCAUtil#escapeText must be true to swallow mnemonics ampersand characters.
Plus, we need an additional WidgetLCAUtil#replaceNewLines( text, "<br/>" ) like in StandardLabelLCA to get the same behavior as in SWT.
See this example:

  CLabel label = new CLabel( shell, SWT.BORDER );
  label.setText( "&One && Two\n\tSecond Line" );

We can either open a new bug for this issue or fix it right away, since we need to touch this code anyway.

+1 for the patch as it fixes the problem.
Comment 3 Rüdiger Herrmann CLA 2009-06-15 08:34:13 EDT 
Committed the patch to CVS HEAD with one modification:
  the second argument to WidgetLCAUtil#escapeText is now true (see comment #2)
  
I tranferred the other issues reported in comment #1 to bug 280266