I am looking for information about XSS in web applications that use JavaServer Faces.
I found paper Proofing Java EE, JSP, and JSF Applications
On page 48 (slide 36) called "Escaping in JSF" there is code snippet:
<f:verbatim value="#{foo}"/>
Also on page 50 (slide 38) there is description "Tags that don't escape enough" for <f:verbatim> and <h:outputlink>.
I can't reproduce XSS inside <f:verbatim> tag when use EL in web app with Facelets, probably because of auto escaping in JSF components:
CSRF, XSS and SQL Injection attack prevention in JSF
"JSF is designed to have builtin XSS prevention. You can safely redisplay all user-controlled input (request headers (including cookies!), request parameters (also the ones which are saved in DB!) and request bodies (uploaded text files, etc)) using any JSF component."
It seems that information in paper is for JSF before 2.0.
Also I found this:
f:verbatim tag stops working when inside a dataTable
"The <f:verbatim> tag is intented to hold plain text/HTML, not JSF components nor EL expressions."
So I don't understand how this tag could be used for XSS if it doesn't work with dynamic data from request or beans.
So I have 2 questions:
Is <f:verbatim> tag safe to XSS when use tainted input from user in web application built on JSF 2.0+ and Facelets?
In which situation <f:verbatim> tag "don't escape enough" in web applications built on JSF?
Example for JSF 2.0 and Facelets:
<h:form>
testform1#{testBean.getXSS(9)}testform1
testform2<h:outputText value="#{testBean.getXSS(10)}" escape="false" />testform2
<f:verbatim escape="false">
aaa#{testBean.getXSS(11)}bbb
ccc
<span>
#{testBean.getXSS(12)}test
<a>link#{testBean.getXSS(13)}</a>
#{testBean.getXSS(14)}
</span>
ddd
<script>alert(15)</script>
eee
<h:outputText value="#{testBean.getXSS(16)}" escape="false" />
ddd
</f:verbatim>
</h:form>
Test method in bean:
public String getXSS(Integer index) {
return ("<script>alert(" + Integer.toString(index) + ")</script>");
}
Output:
testform1<script>alert(9)</script>testform1
testform2<script>alert(10)</script>testform2
aaa<script>alert(11)</script>bbb
ccc
<span>
<script>alert(12)</script>test
<a>link<script>alert(13)</script></a>
<script>alert(14)</script>
</span>
ddd
<script>alert(15)</script>
eee
ddd
<input type="hidden" name="javax.faces.ViewState" id="j_id1:javax.faces.ViewState:1" value="-7832412971090198368:1934231343887166207" autocomplete="off" />
</form>
The referenced article/slide is from 8 june 2009. That's the era of JSF 1.2 and JSP.
JSF 2.0 was introduced december 2009. JSP was since then deprecated and replaced by Facelets. <f:verbatim> was deprecated because it's entirely useless in Facelets. JSF 2.0 on Facelets is designed to have implicit XSS prevention over all place (except of one Mojarra specific bug which is already fixed in 2.2.6, see 1st "See also" link below for detail).
In other words, ignore that article/slide. It doesn't apply on JSF 2.x at all. In future resources, doublecheck the publish date and whether the versions being treated match yours.
See also:
CSRF, XSS and SQL Injection attack prevention in JSF
Iterate <f:verbatim> within <ui:repeat>
Why Facelets is preferred over JSP as the view definition language from JSF2.0 onwards?
Related
I'm using PrimeFaces with JSF 2.0 to build one application. I'm using PrimeFaces <p:editor> component to enable user to create rich text. But the output of this component is HTML source which look like this:
String text = "<p>This text <i>contains</i> some <b>HTML</b> code.</p>";
When I show this in a <h:outputText> as below:
<h:outputText value="#{bean.text}" />
Then it shows the HTML code as plain text:
<p>This text <i>contains</i> some <b>HTML</b> code.</p>
Is there any component which can interpret the HTML source so that e.g. <i> is actually shown as italics and <b> as bold?
This text contains some HTML code.
JSF by default escapes HTML from backing bean properties in order to prevent XSS attack holes. To disable this, just set the escape attribute of the <h:outputText> to false.
<h:outputText ... escape="false" />
This way the HTML won't be escaped and will thus be interpreted by the webbrowser.
Unrelated to the concrete problem, beware of XSS attacks as you're here basically redisplaying user-controlled input unescaped. You might want to sanitize it beforehand.
What is the general concept behind XSS?
CSRF, XSS and SQL Injection attack prevention in JSF
Server side HTML sanitizer/cleanup for JSF
Escape everything but linebreaks in h:outputText
I have DIV element with a header style enclosing a h:outputText but when the page renders i see the HTML is formed in such a way that my div doesnot contain the label generated by the h:outputText instead i see the label above my DIV . Am i doing it wrong? i tried f:verbatim but didn't help either
Based on your question history you're using the ancient JSF 1.1. The <f:verbatim> way should work. Perhaps you've enclosed JSF components inside <f:verbatim>. You should not do that. It should only contain raw HTML.
<f:verbatim><div></f:verbatim>
<h:outputText value="Some text." />
<f:verbatim></div></f:verbatim>
Since JSF 1.2 the <f:verbatim> is not necessary anymore. JSF 1.2 should work on all environments where JSF 1.1 is been used. I strongly recommend to upgrade.
See also:
Mix HTML and JSF in a JSF subview
What are the main disadvantages of Java Server Faces 2.0? (a bit of history)
What is the difference between <f:subview> and <ui:composition> tags? For what purposes and cases are each of these tags suiteble for?
The <f:subview> introduces a new NamingContainer layer and has initially (in JSF 1.0) been designed to be used in combination with JSP's <jsp:include> tag.
<f:subview id="foo">
<jsp:include page="/WEB-INF/include.jsp" />
</f:subview>
In JSF 2.0, which uses Facelets instead of JSP as default view technology, this tag has not really a value anymore.
The <ui:composition>, which is from JSP's successor Facelets, definies a template composition and allows the developers to design the HTML template in visual HTML editors like Dreamweaver. When actually used in a JSF/Facelets environment, any content outside <ui:composition> will be disregarded and only the inner content will be used to build the component tree. This tag can be used in both the include pages and template clients. See also How to include another XHTML in XHTML using JSF 2.0 Facelets?
We have an Oracle ADF Faces 11.1.1.5 application which integrates Oracle SiteStudio regions through Oracle's OpenWCM tags (e.g. <wcm:placeholder>). As far as these tags are JSP tags (but not JSF components) they must be put inside <f:verbatim> tag in JSF pages:
...
<f:verbatim>
<wcm:placeholder name="content"/>
</f:verbatim>
...
Unfortunately, we realized that <f:verbatim>'s body is evaluated/executed at each request (even at postback requests and at PPR requests that have nothing to do with this section of the page) and this causes regeneration of the corresponding SiteStudio region unnecessarily, which is a huge overhead.
Could anybody explain when <f:verbatim>'s body is evaluated/executed? How could we workaround this problem?
When the Apache My Faces JSF 1.2 Implementation renders an HTML page behind the scenes , is it even possible to set/code something which will display a pure HTML Table / DIV (NOT the jsf component ) conditionally. When I searched , I saw that , using h:panelGroup is a solution, but I haven't tried yet, posting here for any better methods or approaches.
Its almost like wanting to say - writing a javascript code in java and inject it when the HTML is rendered - is it possible?
Thanks,
Several ways.
Use <h:panelGroup layout="block">. It renders a HTML <div> element.
<h:panelGroup layout="block" rendered="#{bean.condition}">
content
</h:panelGroup>
Wrap the HTML <div> element inside a <h:panelGroup>. Without any client-side attributes like id, styleClass, onclick, etc, the <h:panelGroup> won't render anything. With them it would however render a <span> element (or <div> if layout is set to block).
<h:panelGroup rendered="#{bean.condition}">
<div>content</div>
</h:panelGroup>
Wrap the HTML <div> element inside a <f:verbatim>.
<f:verbatim rendered="#{bean.condition}">
<div>content</div>
</f:verbatim>
It's by the way not so special that MyFaces generates HTML. The Mojarra JSF implementation also does that. The competitors Struts2, Spring MVC, Wicket, Tapestry, etc..etc.. also. Microsoft ASP.NET MVC also. PHP also. All server side languages in fact. Simply because of the fact that the webbrowser doesn't understand them. It only understands HTML/CSS/JS ;)
As to mixing JavaScript with Java/JSP/JSF, you may find this article useful.