Merge branches '6_2' and 'master-cns' of https://github.com/cnsgithub/primefaces into master-cns

Author: cnsgithub

pom.xml

@@ -126,7 +126,7 @@
         <dependency>
             <groupId>com.rometools</groupId>
             <artifactId>rome</artifactId>
-            <version>1.7.3</version>
+            <version>1.9.0</version>
             <scope>provided</scope>
         </dependency>
 
@@ -191,7 +191,7 @@
         <dependency>
             <groupId>com.hazelcast</groupId>
             <artifactId>hazelcast</artifactId>
-            <version>2.6.5</version>
+            <version>3.9.2</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
@@ -200,6 +200,13 @@
             <version>2.7.4</version>
             <scope>provided</scope>
         </dependency>
+
+        <!-- Text Editor -->
+        <dependency>
+            <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
+            <artifactId>owasp-java-html-sanitizer</artifactId>
+            <version>20171016.1</version>
+        </dependency>        
     </dependencies>
 
     <build>

src/main/java/org/primefaces/component/imagecompare/ImageCompareRenderer.java

@@ -39,35 +39,19 @@ protected void encodeScript(FacesContext context, ImageCompare compare) throws I
 
         WidgetBuilder wb = getWidgetBuilder(context);
         wb.init("ImageCompare", compare.resolveWidgetVar(), clientId)
-                .attr("handle", getResourceRequestPath(context, "imagecompare/handle.gif"))
-                .attr("lt", getResourceRequestPath(context, "imagecompare/lt-small.png"))
-                .attr("rt", getResourceRequestPath(context, "imagecompare/rt-small.png"));
-
+                .attr("leftimage", compare.getLeftImage())
+                .attr("rightimage", compare.getRightImage());
         wb.finish();
     }
 
     protected void encodeMarkup(FacesContext context, ImageCompare compare) throws IOException {
         ResponseWriter writer = context.getResponseWriter();
-
         writer.startElement("div", compare);
+        writer.writeAttribute("style", "width: " + compare.getWidth() + "px;" + "height: " + compare.getHeight() + "px;", null);
         writer.writeAttribute("id", compare.getClientId(context), "id");
-        renderImage(context, compare, "before", compare.getLeftImage());
-        renderImage(context, compare, "fter", compare.getRightImage());
+        renderDynamicPassThruAttributes(context, compare);
         writer.endElement("div");
     }
 
-    private void renderImage(FacesContext context, ImageCompare compare, String type, String src) throws IOException {
-        ResponseWriter writer = context.getResponseWriter();
-
-        writer.startElement("div", compare);
-
-        writer.startElement("img", null);
-        writer.writeAttribute("alt", type, null);
-        writer.writeAttribute("src", getResourceURL(context, src), null);
-        writer.writeAttribute("width", compare.getWidth(), null);
-        writer.writeAttribute("height", compare.getHeight(), null);
-        writer.endElement("img");
 
-        writer.endElement("div");
-    }
 }

src/main/java/org/primefaces/component/inputmask/InputMaskRenderer.java

@@ -17,6 +17,7 @@
 
 import java.io.IOException;
 import java.util.logging.Logger;
+import java.util.regex.Pattern;
 
 import javax.faces.component.UIComponent;
 import javax.faces.context.FacesContext;
@@ -32,6 +33,9 @@ public class InputMaskRenderer extends InputRenderer {
 
     private final static Logger logger = Logger.getLogger(InputMaskRenderer.class.getName());
 
+    private final static String REGEX_METACHARS = "<([{\\^-=$!|]})?*+.>".replaceAll(".", "\\\\$0");
+    private final static Pattern REGEX_METACHARS_PATTERN = Pattern.compile("[" + REGEX_METACHARS + "]");
+    
     @Override
     public void decode(FacesContext context, UIComponent component) {
         InputMask inputMask = (InputMask) component;
@@ -46,10 +50,35 @@ public void decode(FacesContext context, UIComponent component) {
         String submittedValue = (String) context.getExternalContext().getRequestParameterMap().get(clientId);
 
         if (submittedValue != null) {
+            
+            if (!translateMaskIntoRegex(inputMask).matcher(submittedValue).matches()) {
+                submittedValue = null;
+            }
+            
             inputMask.setSubmittedValue(submittedValue);
         }
     }
 
+    // https://github.com/digitalBush/jquery.maskedinput
+    // a - Represents an alpha character (A-Z,a-z)
+    // 9 - Represents a numeric character (0-9)
+    // * - Represents an alphanumeric character (A-Z,a-z,0-9)
+    // ? - Makes the following input optional
+    protected Pattern translateMaskIntoRegex(InputMask inputMask) {
+        String mask = inputMask.getMask();
+        
+        // Escape regex metacharacters first
+        String regex = REGEX_METACHARS_PATTERN.matcher(mask).replaceAll("\\\\$0");
+        
+        regex = regex.replace("a", "[A-Za-z]").replace("9", "[0-9]").replace("*", "[A-Za-z0-9]");
+        int optionalPos = regex.indexOf("\\?");
+        if (optionalPos != -1) {
+            regex = regex.substring(0, optionalPos) + "(" + regex.substring(optionalPos + 2) + ")?";
+        }
+        
+        return Pattern.compile(regex);
+    }
+    
     @Override
     public void encodeEnd(FacesContext context, UIComponent component) throws IOException {
         InputMask inputMask = (InputMask) component;

src/main/java/org/primefaces/component/signature/SignatureRenderer.java

@@ -75,7 +75,7 @@ protected void encodeScript(FacesContext context, Signature signature) throws IO
                 .attr("background", signature.getBackgroundColor(), null)
                 .attr("color", signature.getColor(), null)
                 .attr("thickness", signature.getThickness(), 2)
-                .attr("disabled", signature.isReadonly(), false)
+                .attr("readonly", signature.isReadonly(), false)
                 .attr("guideline", signature.isGuideline(), false)
                 .attr("guidelineColor", signature.getGuidelineColor(), null)
                 .attr("guidelineOffset", signature.getGuidelineOffset(), 25)

src/main/java/org/primefaces/component/texteditor/TextEditorRenderer.java

@@ -17,25 +17,70 @@
 
 import java.io.IOException;
 import java.util.Map;
+import java.util.regex.Pattern;
 
 import javax.faces.component.UIComponent;
 import javax.faces.context.FacesContext;
 import javax.faces.context.ResponseWriter;
 import javax.faces.convert.Converter;
 import javax.faces.convert.ConverterException;
 
+import org.owasp.html.HtmlPolicyBuilder;
+import org.owasp.html.PolicyFactory;
+import org.owasp.html.Sanitizers;
 import org.primefaces.renderkit.CoreRenderer;
 import org.primefaces.util.ComponentUtils;
 import org.primefaces.util.WidgetBuilder;
 
 public class TextEditorRenderer extends CoreRenderer {
 
+    private static final PolicyFactory HTML_IMAGES_SANITIZER = new HtmlPolicyBuilder()
+            .allowUrlProtocols("data", "http", "https")
+            .allowElements("img")
+            .allowAttributes("src")
+            .matching(Pattern.compile("^(data:image/(gif|png|jpeg)[,;]|http|https|mailto|//).+", Pattern.CASE_INSENSITIVE))
+            .onElements("img")
+            .toFactory();
+    private static final PolicyFactory HTML_LINKS_SANITIZER = Sanitizers.LINKS
+            .and(new HtmlPolicyBuilder()
+            .allowElements("a")
+            .allowAttributes("target")
+            .onElements("a")
+            .toFactory());
+    private static final PolicyFactory HTML_STYLES_SANITIZER = Sanitizers.STYLES
+            .and(new HtmlPolicyBuilder()
+            .allowElements("span")
+            .allowAttributes("class")
+            .onElements("span")
+            .toFactory());
+    private static final PolicyFactory HTML_DENY_ALL_SANITIZER = new HtmlPolicyBuilder().toFactory();
+
+    protected String sanitizeHtml(String value, TextEditor editor) {
+        PolicyFactory sanitizer = HTML_DENY_ALL_SANITIZER;
+        if (editor.isAllowBlocks()) {
+            sanitizer = sanitizer.and(Sanitizers.BLOCKS);
+        }
+        if (editor.isAllowFormatting()) {
+            sanitizer = sanitizer.and(Sanitizers.FORMATTING);
+        }
+        if (editor.isAllowLinks()) {
+            sanitizer = sanitizer.and(HTML_LINKS_SANITIZER);
+        }
+        if (editor.isAllowStyles()) {
+            sanitizer = sanitizer.and(HTML_STYLES_SANITIZER);
+        }
+        if (editor.isAllowImages()) {
+            sanitizer = sanitizer.and(HTML_IMAGES_SANITIZER);
+        }
+        return value == null ? null : sanitizer.sanitize(value);
+    }
+
     @Override
     public void decode(FacesContext context, UIComponent component) {
         TextEditor editor = (TextEditor) component;
         String inputParam = editor.getClientId(context) + "_input";
         Map<String, String> params = context.getExternalContext().getRequestParameterMap();
-        String value = params.get(inputParam);
+        String value = sanitizeHtml(params.get(inputParam), editor);
 
         if (value != null && value.equals("<br/>")) {
             value = "";

src/main/java/org/primefaces/renderkit/SelectManyRenderer.java

@@ -39,7 +39,9 @@ public void decode(FacesContext context, UIComponent component) {
         Map<String, String[]> params = context.getExternalContext().getRequestParameterValuesMap();
 
         if (params.containsKey(submitParam)) {
-            selectMany.setSubmittedValue(params.get(submitParam));
+            String[] submittedValues = params.get(submitParam);
+            checkDisabledSelectItemSubmitted(context, selectMany, (Object[]) getValues(selectMany), submittedValues);
+            selectMany.setSubmittedValue(submittedValues);
         }
         else {
             selectMany.setSubmittedValue(new String[0]);

src/main/java/org/primefaces/renderkit/SelectOneRenderer.java

@@ -33,6 +33,8 @@ public void decode(FacesContext context, UIComponent component) {
         String clientId = getSubmitParam(context, selectOne);
         Map<String, String> params = context.getExternalContext().getRequestParameterMap();
         if (params.containsKey(clientId)) {
+            String submittedValue = params.get(clientId);
+            checkDisabledSelectItemSubmitted(context, selectOne, (Object[]) getValues(selectOne), submittedValue);
             selectOne.setSubmittedValue(params.get(clientId));
         }
         else {

src/main/java/org/primefaces/renderkit/SelectRenderer.java

@@ -16,8 +16,12 @@
 package org.primefaces.renderkit;
 
 import java.lang.reflect.Array;
+import java.util.Arrays;
+import java.util.Collections;
 import java.util.List;
+import javax.faces.FacesException;
 import javax.faces.component.UIComponent;
+import javax.faces.component.UIInput;
 import javax.faces.context.FacesContext;
 import javax.faces.convert.Converter;
 import javax.faces.model.SelectItem;
@@ -95,4 +99,30 @@ protected int countSelectItems(SelectItem[] selectItems) {
         }
         return count;
     }
+
+    /**
+     * Checks if at least one disabled select item has been submitted - this may occur with client side manipulation (#3264)
+     * @throws javax.faces.FacesException if client side manipulation has been detected, in order to reject the submission
+     */
+    protected void checkDisabledSelectItemSubmitted(FacesContext context, UIInput component, Object[] oldValues, String... newSubmittedValues) 
+            throws FacesException {
+        String msg = "Disabled select item has been submitted";
+        List<Object> oldVals = oldValues == null ? Collections.emptyList() : Arrays.asList(oldValues);
+        List<String> newSubmittedValsStr = newSubmittedValues == null ? Collections.<String>emptyList() : Arrays.asList(newSubmittedValues);
+        for (SelectItem selectItem : getSelectItems(context, component)) {
+            if (selectItem.isDisabled()) {
+                String selectItemValStr = getOptionAsString(context, component, component.getConverter(), selectItem.getValue());
+                if (oldVals.contains(selectItemValStr) && !newSubmittedValsStr.contains(selectItemValStr)) {
+                    // disabled select item has been unselected
+                    throw new FacesException(msg);
+                }
+                if (newSubmittedValsStr.contains(selectItemValStr) && !oldVals.contains(selectItemValStr)) {
+                    // disabled select item has been selected
+                    throw new FacesException(msg);
+                }
+            }
+        }
+    }
+    
+    
 }

src/main/resources-maven-jsf/ui/imageCompare.xml

@@ -74,5 +74,8 @@
         <resource>
             <name>imagecompare/imagecompare.js</name>
         </resource>
+        <resource>
+            <name>imagecompare/imagecompare.css</name>
+        </resource>
     </resources>
 </component>

src/main/resources-maven-jsf/ui/textEditor.xml

@@ -66,6 +66,41 @@
             <defaultValue>true</defaultValue>
             <description>Whether the toolbar of the editor is visible.</description>
         </attribute>
+        <attribute>
+            <name>allowFormatting</name>
+            <required>false</required>
+            <type>java.lang.Boolean</type>
+            <defaultValue>true</defaultValue>
+            <description>Whether to allow formatting to be included.</description>
+        </attribute>
+        <attribute>
+            <name>allowBlocks</name>
+            <required>false</required>
+            <type>java.lang.Boolean</type>
+            <defaultValue>true</defaultValue>
+            <description>Whether to allow blocks to be included.</description>
+        </attribute>
+        <attribute>
+            <name>allowStyles</name>
+            <required>false</required>
+            <type>java.lang.Boolean</type>
+            <defaultValue>true</defaultValue>
+            <description>Whether to allow styles to be included.</description>
+        </attribute>
+        <attribute>
+            <name>allowLinks</name>
+            <required>false</required>
+            <type>java.lang.Boolean</type>
+            <defaultValue>true</defaultValue>
+            <description>Whether to allow links to be included.</description>
+        </attribute>
+        <attribute>
+            <name>allowImages</name>
+            <required>false</required>
+            <type>java.lang.Boolean</type>
+            <defaultValue>true</defaultValue>
+            <description>Whether to allow images to be included.</description>
+        </attribute>        
     </attributes>
     <resources>
         <resource>