Skip to content

Commit

Permalink
FC-2929 Fix potential reflected XSS in tray webskins
Browse files Browse the repository at this point in the history
  • Loading branch information
justincarter committed Jan 6, 2015
1 parent 9943e5c commit 7c2d705
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 25 deletions.
44 changes: 21 additions & 23 deletions webskin/types/trayContainer.cfm
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@


<skin:onReady>
<script><!--- dummy --->
<cfoutput>

<cfparam name="cookie.FARCRYTRAYSTATE" default="minimised">
Expand Down Expand Up @@ -145,7 +144,6 @@
</cfif>

</cfoutput>
</script><!--- dummy --->
</skin:onReady>


Expand Down Expand Up @@ -183,14 +181,14 @@
<cfset trayStatus = "<strong>#application.fapi.getResource('workflow.constants.draft@label','Draft')#</strong>">
<cfset trayIcon = "alert">
<cfif structKeyExists(stobj, "versionID") AND len(stobj.versionID)>
<cfset trayStatusLink = "<a class='farcryTrayStatusLink' href='#application.fapi.fixURL(url='#form.refererURL#', addvalues='showdraft=0')#'>#application.fapi.getResource(key='tray.button.showapproved@label',default='Show Approved')#</a>">
<cfset trayStatusLink = "<a class='farcryTrayStatusLink' href='#application.fc.lib.esapi.encodeForHTMLAttribute(application.fapi.fixURL(url='#form.refererURL#', addvalues='showdraft=0'))#'>#application.fapi.getResource(key='tray.button.showapproved@label',default='Show Approved')#</a>">
</cfif>
</cfcase>
<cfcase value="pending">
<cfset trayStatus = "<em>#application.fapi.getResource('workflow.constants.pending@label','Pending')#</em>">
<cfset trayIcon = "alert">
<cfif structKeyExists(stobj, "versionID") AND len(stobj.versionID)>
<cfset trayStatusLink = "<a class='farcryTrayStatusLink' href='#application.fapi.fixURL(url='#form.refererURL#', addvalues='showdraft=0')#'>#application.fapi.getResource(key='tray.button.showapproved@label',default='Show Approved')#</a>">
<cfset trayStatusLink = "<a class='farcryTrayStatusLink' href='#application.fc.lib.esapi.encodeForHTMLAttribute(application.fapi.fixURL(url='#form.refererURL#', addvalues='showdraft=0'))#'>#application.fapi.getResource(key='tray.button.showapproved@label',default='Show Approved')#</a>">
</cfif>
</cfcase>
<cfcase value="approved">
Expand All @@ -199,7 +197,7 @@
<cfif structKeyExists(stobj,"versionID") AND structKeyExists(stobj,"status") AND stobj.status EQ "approved">
<cfset qDraft = application.factory.oVersioning.checkIsDraft(objectid=stobj.objectid,type=stobj.typename)>
<cfif qDraft.recordcount>
<cfset trayStatusLink = "<a class='farcryTrayStatusLink' href='#application.fapi.fixURL(url='#form.refererURL#', addvalues='showdraft=1')#'>#application.fapi.getResource(key='tray.button.showdraft@label',default='Show Draft')#</a>">
<cfset trayStatusLink = "<a class='farcryTrayStatusLink' href='#application.fc.lib.esapi.encodeForHTMLAttribute(application.fapi.fixURL(url='#form.refererURL#', addvalues='showdraft=1'))#'>#application.fapi.getResource(key='tray.button.showdraft@label',default='Show Draft')#</a>">
</cfif>
</cfif>
</cfcase>
Expand All @@ -220,25 +218,25 @@
<li><a id="farcryTray-dock" href="##"><span class="ui-icon ui-icon-carat-2-n-s"></span><admin:resource key='tray.button.switchtrayposition@label'>Switch Tray Position</admin:resource></a></li>
<li><a id="farcryTray-hide" href="##"><span class="ui-icon ui-icon-carat-2-e-w"></span><admin:resource key='tray.button.hidetray@label'>Hide Tray</admin:resource></a></li>
<li class="farcryTrayContextMenuSeparator"></li>
<li><a href="#application.fapi.fixURL(url='#form.refererURL#', addvalues='rebuild=page')#"><span class="ui-icon ui-icon-arrowrefresh-1-s"></span><admin:resource key='tray.button.rebuildpage@label'>Rebuild Page</admin:resource></a></li>
<li><a href="#application.fapi.fixURL(url='#form.refererURL#', addvalues='rebuild=all')#" onclick="return confirm('#jsstringformat(application.fapi.getResource(key='tray.button.rebuildsite@confirmtext',default='This will clear the cache for the entire website.\nAre you sure you want to continue?'))#');"><span class="ui-icon ui-icon-refresh"></span><admin:resource key='tray.button.rebuildsite@label'>Rebuild Site</admin:resource></a></li>
<li><a href="#application.fc.lib.esapi.encodeForHTMLAttribute(application.fapi.fixURL(url='#form.refererURL#', addvalues='rebuild=page'))#"><span class="ui-icon ui-icon-arrowrefresh-1-s"></span><admin:resource key='tray.button.rebuildpage@label'>Rebuild Page</admin:resource></a></li>
<li><a href="#application.fc.lib.esapi.encodeForHTMLAttribute(application.fapi.fixURL(url='#form.refererURL#', addvalues='rebuild=all'))#" onclick='return confirm("#(application.fapi.getResource(key='tray.button.rebuildsite@confirmtext',default='This will clear the cache for the entire website.\nAre you sure you want to continue?'))#");'><span class="ui-icon ui-icon-refresh"></span><admin:resource key='tray.button.rebuildsite@label'>Rebuild Site</admin:resource></a></li>
<li class="farcryTrayContextMenuSeparator"></li>
<li><a href="#application.fapi.fixURL(url='#form.refererURL#', addvalues='updateapp=#application.updateappkey#')#" onclick="return confirm('#jsstringformat(application.fapi.getResource(key='tray.button.updateapplication@confirmtext',default='This will restart the entire website and may take up to a few minutes.\nAre you sure you want to continue?'))#');"><span class="ui-icon ui-icon-trash"></span><admin:resource key='tray.button.updateapplication@label'>Update Application</admin:resource></a></li>
<li><a href="#application.fc.lib.esapi.encodeForHTMLAttribute(application.fapi.fixURL(url='#form.refererURL#', addvalues='updateapp=#application.updateappkey#'))#" onclick='return confirm("#(application.fapi.getResource(key='tray.button.updateapplication@confirmtext',default='This will restart the entire website and may take up to a few minutes.\nAre you sure you want to continue?'))#");'><span class="ui-icon ui-icon-trash"></span><admin:resource key='tray.button.updateapplication@label'>Update Application</admin:resource></a></li>
<li class="farcryTrayContextMenuSeparator"></li>
<cfif findNoCase("bDebug=1", "#form.refererURL#") OR findNoCase("bDebug/1", "#form.refererURL#")>
<li><a class="farcryTrayMenuSelected" href="#application.fapi.fixURL(url='#form.refererURL#', addvalues='bDebug=0')#"><span class="ui-icon ui-icon-wrench"></span><admin:resource key='tray.button.toggledebugmode@label'>Debug Mode</admin:resource></a></li>
<li><a class="farcryTrayMenuSelected" href="#application.fc.lib.esapi.encodeForHTMLAttribute(application.fapi.fixURL(url='#form.refererURL#', addvalues='bDebug=0'))#"><span class="ui-icon ui-icon-wrench"></span><admin:resource key='tray.button.toggledebugmode@label'>Debug Mode</admin:resource></a></li>
<cfelse>
<li><a href="#application.fapi.fixURL(url='#form.refererURL#', addvalues='bDebug=1')#"><span class="ui-icon ui-icon-wrench"></span><admin:resource key='tray.button.toggledebugmode@label'>Debug Mode</admin:resource></a></li>
<li><a href="#application.fc.lib.esapi.encodeForHTMLAttribute(application.fapi.fixURL(url='#form.refererURL#', addvalues='bDebug=1'))#"><span class="ui-icon ui-icon-wrench"></span><admin:resource key='tray.button.toggledebugmode@label'>Debug Mode</admin:resource></a></li>
</cfif>
<cfif findNoCase("profile=1", "#form.refererURL#") OR findNoCase("profile/1", "#form.refererURL#")>
<li><a class="farcryTrayMenuSelected" href="#application.fapi.fixURL(url='#form.refererURL#', addvalues='profile=0')#"><span class="ui-icon ui-icon-battery-3"></span><admin:resource key='tray.button.toggleprofiler@label'>Profiler</admin:resource></a></li>
<li><a class="farcryTrayMenuSelected" href="#application.fc.lib.esapi.encodeForHTMLAttribute(application.fapi.fixURL(url='#form.refererURL#', addvalues='profile=0'))#"><span class="ui-icon ui-icon-battery-3"></span><admin:resource key='tray.button.toggleprofiler@label'>Profiler</admin:resource></a></li>
<cfelse>
<li><a href="#application.fapi.fixURL(url='#form.refererURL#', addvalues='profile=1')#"><span class="ui-icon ui-icon-battery-3"></span><admin:resource key='tray.button.toggleprofiler@label'>Profiler</admin:resource></a></li>
<li><a href="#application.fc.lib.esapi.encodeForHTMLAttribute(application.fapi.fixURL(url='#form.refererURL#', addvalues='profile=1'))#"><span class="ui-icon ui-icon-battery-3"></span><admin:resource key='tray.button.toggleprofiler@label'>Profiler</admin:resource></a></li>
</cfif>
<cfif findNoCase("tracewebskins=1", "#form.refererURL#") OR findNoCase("tracewebskins/1", "#form.refererURL#")>
<li><a class="farcryTrayMenuSelected" href="#application.fapi.fixURL(url='#form.refererURL#', addvalues='tracewebskins=0')#"><span class="ui-icon ui-icon-note"></span><admin:resource key='tray.button.toggletracer@label'>Webskin Tracer</admin:resource></a></li>
<li><a class="farcryTrayMenuSelected" href="#application.fc.lib.esapi.encodeForHTMLAttribute(application.fapi.fixURL(url='#form.refererURL#', addvalues='tracewebskins=0'))#"><span class="ui-icon ui-icon-note"></span><admin:resource key='tray.button.toggletracer@label'>Webskin Tracer</admin:resource></a></li>
<cfelse>
<li><a href="#application.fapi.fixURL(url='#form.refererURL#', addvalues='tracewebskins=1')#"><span class="ui-icon ui-icon-note"></span><admin:resource key='tray.button.toggletracer@label'>Webskin Tracer</admin:resource></a></li>
<li><a href="#application.fc.lib.esapi.encodeForHTMLAttribute(application.fapi.fixURL(url='#form.refererURL#', addvalues='tracewebskins=1'))#"><span class="ui-icon ui-icon-note"></span><admin:resource key='tray.button.toggletracer@label'>Webskin Tracer</admin:resource></a></li>
</cfif>
</ul>
</div>
Expand All @@ -249,22 +247,22 @@
<div class="farcryTrayButtons">
<a id="farcryTray-edit" href="##"><span class="ui-icon ui-icon-pencil"></span><admin:resource key='tray.button.edit@label'>Edit</admin:resource></a>
<cfif request.mode.design and request.mode.showcontainers gt 0>
<a id="farcryTray-rules" class="farcryTrayButtonSelected" href="#application.fapi.fixURL(url='#form.refererURL#', addvalues='designmode=0')#" title="<admin:resource key='tray.button.hiderules@hint'>Showing rules (click to turn off)</admin:resource>"><span class="ui-icon ui-icon-copy"></span><admin:resource key='tray.button.hiderules@label'>Rules</admin:resource></a>
<a id="farcryTray-rules" class="farcryTrayButtonSelected" href="#application.fc.lib.esapi.encodeForHTMLAttribute(application.fapi.fixURL(url='#form.refererURL#', addvalues='designmode=0'))#" title="<admin:resource key='tray.button.hiderules@hint'>Showing rules (click to turn off)</admin:resource>"><span class="ui-icon ui-icon-copy"></span><admin:resource key='tray.button.hiderules@label'>Rules</admin:resource></a>
<cfelse>
<a id="farcryTray-rules" href="#application.fapi.fixURL(url='#form.refererURL#', addvalues='designmode=1')#" title="<admin:resource key='tray.button.showrules@hint'>Hiding rules (click to turn on)</admin:resource>"><span class="ui-icon ui-icon-copy"></span><admin:resource key='tray.button.showrules@label'>Rules</admin:resource></a>
<a id="farcryTray-rules" href="#application.fc.lib.esapi.encodeForHTMLAttribute(application.fapi.fixURL(url='#form.refererURL#', addvalues='designmode=1'))#" title="<admin:resource key='tray.button.showrules@hint'>Hiding rules (click to turn on)</admin:resource>"><span class="ui-icon ui-icon-copy"></span><admin:resource key='tray.button.showrules@label'>Rules</admin:resource></a>
</cfif>
<cfif request.mode.showdraft>
<a id="farcryTray-caching" class="farcryTrayButtonSelected" href="#application.fapi.fixURL(url='#form.refererURL#', addvalues='showdraft=0')#" title="<admin:resource key='tray.button.hidedrafts@hint'>Showing drafts (click to turn off)</admin:resource>"><span class="ui-icon ui-icon-document"></span><admin:resource key='tray.button.hidedrafts@label'>Drafts</admin:resource></a>
<a id="farcryTray-caching" class="farcryTrayButtonSelected" href="#application.fc.lib.esapi.encodeForHTMLAttribute(application.fapi.fixURL(url='#form.refererURL#', addvalues='showdraft=0'))#" title="<admin:resource key='tray.button.hidedrafts@hint'>Showing drafts (click to turn off)</admin:resource>"><span class="ui-icon ui-icon-document"></span><admin:resource key='tray.button.hidedrafts@label'>Drafts</admin:resource></a>
<cfelse>
<a id="farcryTray-caching" href="#application.fapi.fixURL(url='#form.refererURL#', addvalues='showdraft=1')#" title="<admin:resource key='tray.button.showdrafts@hint'>Hiding Drafts (click to turn on)</admin:resource>"><span class="ui-icon ui-icon-document"></span><admin:resource key='tray.button.showdrafts@label'>Drafts</admin:resource></a>
<a id="farcryTray-caching" href="#application.fc.lib.esapi.encodeForHTMLAttribute(application.fapi.fixURL(url='#form.refererURL#', addvalues='showdraft=1'))#" title="<admin:resource key='tray.button.showdrafts@hint'>Hiding Drafts (click to turn on)</admin:resource>"><span class="ui-icon ui-icon-document"></span><admin:resource key='tray.button.showdrafts@label'>Drafts</admin:resource></a>
</cfif>
<cfif request.mode.showdraft OR request.mode.design OR findNoCase("bDebug=1", "#form.refererURL#") OR findNoCase("bDebug/1", "#form.refererURL#") OR (findNoCase("tracewebskins=1", "#form.refererURL#") OR findNoCase("tracewebskins/1", "#form.refererURL#"))>
<a id="farcryTray-caching" class="farcryTrayButtonDisabled" title="<admin:resource key='tray.button.cacheadmin@hint'>Caching is disabled when showing drafts, rules, debugging or webskin tracer</admin:resource>"><span class="ui-icon ui-icon-script"></span><admin:resource key='tray.button.cacheadmin@label'>Caching</admin:resource></a>
<cfelse>
<cfif request.mode.flushcache>
<a id="farcryTray-caching" href="#application.fapi.fixURL(url='#form.refererURL#', addvalues='flushcache=0')#" title="<admin:resource key='tray.button.cacehenable@label'>Showing latest pages (click to show cached)</admin:resource>"><span class="ui-icon ui-icon-script"></span><admin:resource key='tray.button.cacehenable@label'>Caching</admin:resource></a>
<a id="farcryTray-caching" href="#application.fc.lib.esapi.encodeForHTMLAttribute(application.fapi.fixURL(url='#form.refererURL#', addvalues='flushcache=0'))#" title="<admin:resource key='tray.button.cacehenable@label'>Showing latest pages (click to show cached)</admin:resource>"><span class="ui-icon ui-icon-script"></span><admin:resource key='tray.button.cacehenable@label'>Caching</admin:resource></a>
<cfelse>
<a id="farcryTray-caching" class="farcryTrayButtonSelected" href="#application.fapi.fixURL(url='#form.refererURL#', addvalues='flushcache=1')#" title="<admin:resource key='tray.button.cacehdisable@label'>Showing cached pages (click to show latest)</admin:resource>"><span class="ui-icon ui-icon-script"></span><admin:resource key='tray.button.cacehdisable@label'>Caching</admin:resource></a>
<a id="farcryTray-caching" class="farcryTrayButtonSelected" href="#application.fc.lib.esapi.encodeForHTMLAttribute(application.fapi.fixURL(url='#form.refererURL#', addvalues='flushcache=1'))#" title="<admin:resource key='tray.button.cacehdisable@label'>Showing cached pages (click to show latest)</admin:resource>"><span class="ui-icon ui-icon-script"></span><admin:resource key='tray.button.cacehdisable@label'>Caching</admin:resource></a>
</cfif>
</cfif>
</div>
Expand All @@ -273,9 +271,9 @@
<div class="farcryTrayBody">
<div class="farcryTrayBodyMenu">
<ul>
<li><a href="#application.fapi.fixURL(url='#application.url.webtop#')#"><span class="ui-icon ui-icon-calculator"></span><admin:resource key='tray.button.webtop@label'>Webtop</admin:resource></a></li>
<li><a href="#application.fapi.fixURL(url='#form.refererURL#', addvalues='logout=1')#"><span class="ui-icon ui-icon-power"></span><admin:resource key='tray.button.logout@label'>Logout</admin:resource></a></li>
<li class="farcryTrayPageSpeed"><a title="<admin:resource key='tray.information.renderingspeed@hint'>Page rendering speed</admin:resource>"><span class="ui-icon ui-icon-clock" style="background-position:-81px -112px;"></span> <admin:resource key='tray.information.renderingspeed@label' var1="#url.totalTickCount#">{1} ms</admin:resource></a></li>
<li><a href="#application.fc.lib.esapi.encodeForHTMLAttribute(application.fapi.fixURL(url='#application.url.webtop#'))#"><span class="ui-icon ui-icon-calculator"></span><admin:resource key='tray.button.webtop@label'>Webtop</admin:resource></a></li>
<li><a href="#application.fc.lib.esapi.encodeForHTMLAttribute(application.fapi.fixURL(url='#form.refererURL#', addvalues='logout=1'))#"><span class="ui-icon ui-icon-power"></span><admin:resource key='tray.button.logout@label'>Logout</admin:resource></a></li>
<li class="farcryTrayPageSpeed"><a title="<admin:resource key='tray.information.renderingspeed@hint'>Page rendering speed</admin:resource>"><span class="ui-icon ui-icon-clock" style="background-position:-81px -112px;"></span> <admin:resource key='tray.information.renderingspeed@label' var1="#application.fc.lib.esapi.encodeForHTML(url.totalTickCount)#">{1} ms</admin:resource></a></li>
</ul>
</div>

Expand Down
4 changes: 2 additions & 2 deletions webskin/types/trayStandard.cfm
Original file line number Diff line number Diff line change
Expand Up @@ -46,11 +46,11 @@
</tr>
<tr>
<th><admin:resource key='tray.summary.pageview@label'>Page View</admin:resource></th>
<td>#application.fapi.getWebskinDisplayName(stobj.typename, arguments.stParam.view)# (#arguments.stParam.view#)</td>
<td>#application.fc.lib.esapi.encodeForHTML(application.fapi.getWebskinDisplayName(stobj.typename, arguments.stParam.view))# (#application.fc.lib.esapi.encodeForHTML(arguments.stParam.view)#)</td>
</tr>
<tr>
<th><admin:resource key='tray.summary.bodyview@label'>Body View</admin:resource></th>
<td>#application.fapi.getWebskinDisplayName(stobj.typename, arguments.stParam.bodyView)# (#arguments.stParam.bodyView#)</td>
<td>#application.fc.lib.esapi.encodeForHTML(application.fapi.getWebskinDisplayName(stobj.typename, arguments.stParam.bodyView))# (#application.fc.lib.esapi.encodeForHTML(arguments.stParam.bodyView)#)</td>
</tr>
</table>

Expand Down

0 comments on commit 7c2d705

Please sign in to comment.