From 2dc5a959f0cd31e461cacbdb50cfdf105cd47c78 Mon Sep 17 00:00:00 2001 From: amic <47420151+AmmarBikic@users.noreply.github.com> Date: Tue, 17 Mar 2020 07:53:32 +0100 Subject: [PATCH] Fix xss remained parts (#947) * Fix remained XSS related tooltips by disabling them * Adding TODOs to tooltips which has been set to null because of XSS * Removing TODOs because of SonarQube Signed-off-by: Ammar Bikic --- .../ui/common/detailslayout/AbstractMetadataDetailsLayout.java | 3 ++- .../hawkbit/ui/management/targettable/TargetDetails.java | 3 ++- .../management/targettag/filter/TargetFilterQueryButtons.java | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/hawkbit-ui/src/main/java/org/eclipse/hawkbit/ui/common/detailslayout/AbstractMetadataDetailsLayout.java b/hawkbit-ui/src/main/java/org/eclipse/hawkbit/ui/common/detailslayout/AbstractMetadataDetailsLayout.java index 349500329..6191c6934 100644 --- a/hawkbit-ui/src/main/java/org/eclipse/hawkbit/ui/common/detailslayout/AbstractMetadataDetailsLayout.java +++ b/hawkbit-ui/src/main/java/org/eclipse/hawkbit/ui/common/detailslayout/AbstractMetadataDetailsLayout.java @@ -81,8 +81,9 @@ public abstract class AbstractMetadataDetailsLayout extends Table { } private Button customMetadataDetailButton(final String metadataKey) { + //After Vaadin 8 migration: Enable tooltip again, currently it is set to [null] to avoid cross site scripting. final Button viewIcon = SPUIComponentProvider.getButton(getDetailLinkId(metadataKey), metadataKey, - "View " + metadataKey + " Metadata details", null, false, null, SPUIButtonStyleNoBorder.class); + null, null, false, null, SPUIButtonStyleNoBorder.class); viewIcon.setData(metadataKey); viewIcon.addStyleName(ValoTheme.BUTTON_TINY + " " + ValoTheme.BUTTON_LINK + " " + "on-focus-no-border link" + " " + "text-style"); diff --git a/hawkbit-ui/src/main/java/org/eclipse/hawkbit/ui/management/targettable/TargetDetails.java b/hawkbit-ui/src/main/java/org/eclipse/hawkbit/ui/management/targettable/TargetDetails.java index d2f033b4c..02ec3ca53 100644 --- a/hawkbit-ui/src/main/java/org/eclipse/hawkbit/ui/management/targettable/TargetDetails.java +++ b/hawkbit-ui/src/main/java/org/eclipse/hawkbit/ui/management/targettable/TargetDetails.java @@ -266,7 +266,8 @@ public class TargetDetails extends AbstractTableDetailsLayout { sortedAttributes.forEach((key, value) -> { final HorizontalLayout conAttributeLayout = SPUIComponentProvider.createNameValueLayout(key.concat(" : "), value == null ? "" : value); - conAttributeLayout.setDescription(key.concat(" : ") + value); + //After Vaadin 8 migration: Enable tooltip again, currently it is set to [null] to avoid cross site scripting. + conAttributeLayout.setDescription(null); conAttributeLayout.addStyleName("label-style"); attributesLayout.addComponent(conAttributeLayout); }); diff --git a/hawkbit-ui/src/main/java/org/eclipse/hawkbit/ui/management/targettag/filter/TargetFilterQueryButtons.java b/hawkbit-ui/src/main/java/org/eclipse/hawkbit/ui/management/targettag/filter/TargetFilterQueryButtons.java index 34696860b..45e0a8910 100644 --- a/hawkbit-ui/src/main/java/org/eclipse/hawkbit/ui/management/targettag/filter/TargetFilterQueryButtons.java +++ b/hawkbit-ui/src/main/java/org/eclipse/hawkbit/ui/management/targettag/filter/TargetFilterQueryButtons.java @@ -130,7 +130,8 @@ public class TargetFilterQueryButtons extends Table { if (id != null) { button.setCaption(name); } - button.setDescription(name); + //After Vaadin 8 migration: Enable tooltip again, currently it is set to [null] to avoid cross site scripting. + button.setDescription(null); button.setData(itemId); button.addClickListener(event -> customTargetTagFilterButtonClick.processButtonClick(event)); return button;