wayf.jsp fails to properly escape mdui:DisplayName, causing javascript error and Suggest.js to fail to work
Basics
Logistics
Basics
Logistics
Description
Line 562 and 637 of wayf.jsp fail to escape mdui:DisplayName causing javascript to error.
This presented itself as a problem when the 'Ohio Technology Consortium ("OH-TECH")' was added to the metadata as the double quote as interpreted by javascript as a string terminator.
Checkins 2212, 2213, 2214 all contain extra encoding - even though in most cases there does not appear to be the possibility of exploit we now systematically encode everything as it crossed the javaBean/HTML or javaBean/JavaScript boundary.
Rod Widdowson
March 13, 2012 at 10:09 AM
I'm going to reopen this. There is more escaping that it would be appropriate to add at this time.
Rod Widdowson
March 7, 2012 at 3:27 PM
<Leaving resolved until the release vehicle is decided upon>
Rod Widdowson
March 7, 2012 at 3:17 PM
Checkin 2206 does this using the ESAPI library. This also adds more encoding needed for the "two panes" javascript and some further encoding of the HTML output.
Rod Widdowson
March 7, 2012 at 10:49 AM
Bug confirmed and fixed. Strings are now properly escaped as they move from java to java script. Checkin 2204
Not closing this since I want to go over the html encoding (again).
Line 562 and 637 of wayf.jsp fail to escape mdui:DisplayName causing javascript to error.
This presented itself as a problem when the 'Ohio Technology Consortium ("OH-TECH")' was added to the metadata as the double quote as interpreted by javascript as a string terminator.
<mdui:DisplayName xml:lang="en">Ohio Technology Consortium ("OH-TECH")</mdui:DisplayName>
The two Javascript errors follow:
Error: missing ) after argument list
Source File: https://confluence.et-test.psu.edu/discovery/WAYF?entityID=https%3A%2F%2Fconfluence.et-test.psu.edu%2Fshibboleth&return=https%3A%2F%2Fconfluence.et-test.psu.edu%2FShibboleth.sso%2FLogin%3FSAMLDS%3D1%26target%3Dcookie%253Ac1c23b83
Line: 1499, Column: 58
Source Code:
opt = new Option ("Ohio Technology Consortium ("OH-TECH")");
"Error: missing ] after element list
Source File: https://confluence.et-test.psu.edu/discovery/WAYF?entityID=https%3A%2F%2Fconfluence.et-test.psu.edu%2Fshibboleth&return=https%3A%2F%2Fconfluence.et-test.psu.edu%2FShibboleth.sso%2FLogin%3FSAMLDS%3D1%26target%3Dcookie%253Ac1c23b83
Line: 3269, Column: 36
Source Code:
["Ohio Technology Consortium ("OH-TECH")","
------------
This is also affecting the DS at discovery.shibboleth.net.
Error: missing ] after element list
Source File: https://discovery.shibboleth.net/WAYF?entityID=https%3A%2F%2Fissues.shibboleth.net%2Fshibboleth&return=https%3A%2F%2Fissues.shibboleth.net%2Fjira%2FShibboleth.sso%2FLogin%3FSAMLDS%3D1%26target%3Dss%253Amem%253A34ac60553824bda89ec1c4bade43aabedd6dbda0
Line: 3884, Column: 33
Source Code:
["Ohio Technology Consortium ("OH-TECH")","https://idp.oar.net/idp/shibboleth"],