Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-5082

Review PageImpl use of exec.evaluate for title, viewport and style

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • 9.6.0.1
    • None
    • Security Level: Jimmy

      Steps to Reproduce

      Run fiddle (open as standalone tab)

      https://zkfiddle.org/sample/s1gs29/4-title-exec

      Copy El expression to textbox, click button

      Current Result

      PageImpl.setTitle always execute code as EL expression

      Expected Result

      There should be an option to just send string data without evaluating as EL expression (possible attack vector if the end-user can set the page title, or part of the page title using input fields)

      Debug Information

       Should review specs regarding:

      • Should PageImpl automativally evaluate strings as EL expressions for title, viewport and style?
      • Should there be an option to set a string directly without evaluation? 

       

      Affected methods on PageImpl are setTitle, setViewport and setStyle

      Workaround

      use AuSetTitle instead (which is not evaluated)

      Executions.getCurrent().addAuResponse(new AuSetTitle(arbitraryString));

      //Will evaluate content as EL
//Executions.getCurrent().getDesktop().getFirstPage().setTitle(titleData);
//Will send String value directly
//Executions.getCurrent().addAuResponse(new AuSetTitle(titleData));

            DevChu DevChu
            MDuchemin MDuchemin
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: