0

I have a command button with a confirm action using primefaces:

<p:commandButton value="Test"
    rendered="..."
    action="#{controller.actionMethod(param)}">
    <p:confirm header="Confirmation" escape="false" message="This is a really long message test &lt;br/&gt; 
        This is a really long message test."/>
</p:commandButton>

I've read that turning off escape is a potential XSS attack vulnerability, so I am trying to fix this issue without the use of a line break in the message (and allow for escape=true)

The confirmDialog is global: 

<p:confirmDialog global="true" showEffect="fade" hideEffect="fade">
    <p:commandButton value="Yes"
        type="button" styleClass="ui-confirmdialog-yes" icon="ui-button-icon-left ui-icon ui-c ui-icon-check" />
    <p:commandButton value="No"
        type="button" styleClass="ui-confirmdialog-no" icon="ui-button-icon-left ui-icon ui-c ui-icon-close" />
</p:confirmDialog>

I've tried using styling using pre-line wrapping, but I haven't had luck. Am I chasing a non-issue? Is this actually an XSS vulnerability?

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
StaticMaine
  • 47
  • 10
  • 1
    Does this answer your question? [Newline in ](https://stackoverflow.com/questions/20365674/newline-in-pconfirm-message) – Jasper de Vries Jan 28 '20 at 11:21
  • 2
    Along with @JasperdeVries answer using escape="false" is OK as long as you KNOW the content of what will be put in that box. If it was user entered data you would never want to use escape="false" but if you are always the author of the content it is OK and exactly what escape="false" is for. – Melloware Jan 28 '20 at 12:07
  • @Melloware - These dialogs are completely controlled by the developer, nothing that is inputted. – StaticMaine Jan 28 '20 at 13:20
  • 2
    Then have no fear using escape="false". – Melloware Jan 28 '20 at 14:23

1 Answers1

2

A better way to introduce line break in the message would be to use facet as described here. This way you get all out of this XSS fuss.

<p:confirmDialog header="Confirmation">
    <f:facet name="message">
        Are you sure you want to continue?<br/>Yes or no?
    </f:facet>
</p:confirmDialog>

Still if you want to go this way, assuming you are using Prime Faces 7 in the documentation manual several times escape attribute is given without any warning for XSS. I would worry more about XSS when I am getting text input from the user than button input.

Nullish Byte
  • 354
  • 2
  • 10
  • XSS is dangerous when using input from 'untrusted sources' in an unescaped output.So in both your approach (= from a duplicate Q) there is as litlle risk as in the code in the Q – Kukeltje Jan 30 '20 at 06:55
  • As I wrote in the answer, it only applies to button input. Had the input been "text input" I agree with you. – Nullish Byte Feb 02 '22 at 10:42