Fixes Issue #1421.
HistoryImplIE6 did a $doc.write of the unsanitized historyToken exposing an
XSS vulnerability. This fix adds html entity escaping to the token before
it is written.
Found by: akimpton
Review by: scottb, jgw
git-svn-id: https://google-web-toolkit.googlecode.com/svn/trunk@1257 8db76d5a-ed1c-0410-87a9-c151d255dfc7
diff --git a/user/src/com/google/gwt/user/client/impl/HistoryImplIE6.java b/user/src/com/google/gwt/user/client/impl/HistoryImplIE6.java
index e56e037..c032343 100644
--- a/user/src/com/google/gwt/user/client/impl/HistoryImplIE6.java
+++ b/user/src/com/google/gwt/user/client/impl/HistoryImplIE6.java
@@ -15,6 +15,7 @@
*/
package com.google.gwt.user.client.impl;
+import com.google.gwt.user.client.DOM;
import com.google.gwt.user.client.Element;
/**
@@ -22,7 +23,20 @@
* {@link com.google.gwt.user.client.impl.HistoryImplFrame}.
*/
class HistoryImplIE6 extends HistoryImplFrame {
-
+
+ /**
+ * Sanitizes an untrusted string to be used in an HTML context. NOTE: This
+ * method of escaping strings should only be used on Internet Explorer.
+ *
+ * @param maybeHtml untrusted string that may contain html
+ * @return sanitized string
+ */
+ private static String escapeHtml(String maybeHtml) {
+ final Element div = DOM.createDiv();
+ DOM.setInnerText(div, maybeHtml);
+ return DOM.getInnerHTML(div);
+ }
+
private static native void initUrlCheckTimer() /*-{
// This is the URL check timer. It detects when an unexpected change
// occurs in the document's URL (e.g. when the user enters one manually
@@ -95,8 +109,7 @@
}-*/;
protected native void newItemImpl(Element historyFrame, String historyToken, boolean forceAdd) /*-{
- historyToken = historyToken || "";
-
+ historyToken = @com.google.gwt.user.client.impl.HistoryImplIE6::escapeHtml(Ljava/lang/String;)(historyToken || "");
if (forceAdd || ($wnd.__gwt_historyToken != historyToken)) {
var doc = historyFrame.contentWindow.document;
doc.open();
