From 15e0b78f064e83aced3382fc26efb2c426c14ec5 Mon Sep 17 00:00:00 2001
From: nullterminated <ramseygurley@gmail.com>
Date: Mon, 11 Jun 2012 08:15:57 -0700
Subject: [PATCH] Escape @@value@@ in validation messages to prevent potential
 xss attacks.

---
 .../English.lproj/ValidationTemplate.strings          |  6 +++---
 .../Resources/Dutch.lproj/ValidationTemplate.strings  |  6 +++---
 .../English.lproj/ValidationTemplate.strings          |  6 +++---
 .../Resources/German.lproj/ValidationTemplate.strings |  6 +++---
 .../Resources/Dutch.lproj/ValidationTemplate.strings  |  2 +-
 .../Resources/German.lproj/ValidationTemplate.strings |  2 +-
 .../extensions/validation/ERXValidationException.java | 11 +++++++++++
 .../English.lproj/ValidationTemplate.strings          |  6 +++---
 8 files changed, 28 insertions(+), 17 deletions(-)

diff --git a/Frameworks/Ajax/ERDivaLook/Resources/English.lproj/ValidationTemplate.strings b/Frameworks/Ajax/ERDivaLook/Resources/English.lproj/ValidationTemplate.strings
index 4192f9fac1d..5a8ac228e18 100644
--- a/Frameworks/Ajax/ERDivaLook/Resources/English.lproj/ValidationTemplate.strings
+++ b/Frameworks/Ajax/ERDivaLook/Resources/English.lproj/ValidationTemplate.strings
@@ -1,10 +1,10 @@
 {
-	"IllegalCharacterInNumberException" = "Please check the value @@value@@ you supplied for the field @@displayNameForProperty@@.";
-	"InvalidDateFormatException" = "Please check @@displayNameForProperty@@ as @@value@@ is not a valid date";
+	"IllegalCharacterInNumberException" = "Please check the value @@escapedValue@@ you supplied for the field @@displayNameForProperty@@.";
+	"InvalidDateFormatException" = "Please check @@displayNameForProperty@@ as @@escapedValue@@ is not a valid date";
 	"InvalidNumberException" = "The value is an invalid number.";
 	"MandatoryToManyRelationshipException" = "A @@displayNameForEntity@@ must have a least one @@displayNameForDestinationEntity@@.";
 	"MandatoryToOneRelationshipException" = "A @@displayNameForEntity@@ must have a @@displayNameForProperty@@.";
-	"NotANumberException" = "Sorry, I could not read this number @@value@@ ";
+	"NotANumberException" = "Sorry, I could not read this number @@escapedValue@@ ";
 	"NullPropertyException" = "Please provide a @@displayNameForProperty@@.";
 	"ObjectCannotBeDeletedException" = "Cannot delete this @@displayNameForEntity@@ because either this @@displayNameForEntity@@ or any object related to this @@displayNameForEntity@@ cannot be deleted.";
 	"ObjectRemovalException" = "Cannot delete this @@displayNameForEntity@@. You should first delete the item in its @@displayNameForProperty@@.";
diff --git a/Frameworks/Core/ERDirectToWeb/Resources/Dutch.lproj/ValidationTemplate.strings b/Frameworks/Core/ERDirectToWeb/Resources/Dutch.lproj/ValidationTemplate.strings
index 06f929859b9..ba8c6d82d1a 100644
--- a/Frameworks/Core/ERDirectToWeb/Resources/Dutch.lproj/ValidationTemplate.strings
+++ b/Frameworks/Core/ERDirectToWeb/Resources/Dutch.lproj/ValidationTemplate.strings
@@ -1,10 +1,10 @@
 {
-	"IllegalCharacterInNumberException" = "De waarde <b>@@value@@</b> in <b>@@displayNameForProperty@@</b> is niet toegestaan.";
-	"InvalidDateFormatException" = "De waarde <b>@@value@@</b> in <b>@@displayNameForProperty@@</b> is geen geldige datum.";
+	"IllegalCharacterInNumberException" = "De waarde <b>@@escapedValue@@</b> in <b>@@displayNameForProperty@@</b> is niet toegestaan.";
+	"InvalidDateFormatException" = "De waarde <b>@@escapedValue@@</b> in <b>@@displayNameForProperty@@</b> is geen geldige datum.";
 	"InvalidNumberException" = "Deze waarde is geen getal.";
 	"MandatoryToManyRelationshipException" = "@@displayNameForProperty@@ moet ingevuld zijn.";
 	"MandatoryToOneRelationshipException" = "@@displayNameForProperty@@ moet ingevuld zijn.";
-	"NotANumberException" = "De waarde <b>@@value@@</b> is geen getal.";
+	"NotANumberException" = "De waarde <b>@@escapedValue@@</b> is geen getal.";
 	"NullPropertyException" = "Vul het veld <b>@@displayNameForProperty@@</b> in.";
 	"ObjectCannotBeDeletedException" = "Deze <b>@@displayNameForEntity@@</b> kan niet verwijderd worden, omdat u geen rechten hebt deze <b>@@displayNameForEntity@@</b> direct of een van de verwante objecten van <b>@@displayNameForEntity@@</b> te verwijderen.";
 	"ObjectRemovalException" = "<b>@@displayNameForEntity@@</b> kan niet verwijderd worden als <b>@@displayNameForProperty@@</b> nog bestaat.";
diff --git a/Frameworks/Core/ERDirectToWeb/Resources/English.lproj/ValidationTemplate.strings b/Frameworks/Core/ERDirectToWeb/Resources/English.lproj/ValidationTemplate.strings
index f00b2219fa9..ca7368c9e42 100644
--- a/Frameworks/Core/ERDirectToWeb/Resources/English.lproj/ValidationTemplate.strings
+++ b/Frameworks/Core/ERDirectToWeb/Resources/English.lproj/ValidationTemplate.strings
@@ -1,10 +1,10 @@
 {
-	"IllegalCharacterInNumberException" = "Please check the value <b>@@value@@</b> you supplied for the field <b>@@displayNameForProperty@@</b>.";
-	"InvalidDateFormatException" = "Please check <b>@@displayNameForProperty@@</b> as <b>@@value@@</b> is not a valid date";
+	"IllegalCharacterInNumberException" = "Please check the value <b>@@escapedValue@@</b> you supplied for the field <b>@@displayNameForProperty@@</b>.";
+	"InvalidDateFormatException" = "Please check <b>@@displayNameForProperty@@</b> as <b>@@escapedValue@@</b> is not a valid date";
 	"InvalidNumberException" = "The value is an invalid number.";
 	"MandatoryToManyRelationshipException" = "A <b>@@displayNameForEntity@@</b> must have a least one <b>@@displayNameForDestinationEntity@@</b>.";
 	"MandatoryToOneRelationshipException" = "A <b>@@displayNameForEntity@@</b> must have a <b>@@displayNameForProperty@@</b>.";
-	"NotANumberException" = "Sorry, I could not read this number <b>@@value@@</b> ";
+	"NotANumberException" = "Sorry, I could not read this number <b>@@escapedValue@@</b> ";
 	"NullPropertyException" = "Please provide @@indefiniteArticleForProperty@@ <b>@@displayNameForProperty@@</b>.";
 	"ObjectCannotBeDeletedException" = "Cannot delete this <b>@@displayNameForEntity@@</b> because either this <b>@@displayNameForEntity@@</b> or any object related to this <b>@@displayNameForEntity@@</b> cannot be deleted.";
 	"ObjectRemovalException" = "Cannot delete this <b>@@displayNameForEntity@@</b>. You should first delete the item in its <b>@@displayNameForProperty@@</b>.";
diff --git a/Frameworks/Core/ERDirectToWeb/Resources/German.lproj/ValidationTemplate.strings b/Frameworks/Core/ERDirectToWeb/Resources/German.lproj/ValidationTemplate.strings
index 7161e06fdde..9b441308cd1 100644
--- a/Frameworks/Core/ERDirectToWeb/Resources/German.lproj/ValidationTemplate.strings
+++ b/Frameworks/Core/ERDirectToWeb/Resources/German.lproj/ValidationTemplate.strings
@@ -1,10 +1,10 @@
 {
-	"IllegalCharacterInNumberException" = "Bitte \U00fcberpr\U00fcfen Sie den Wert <b>@@value@@</b> in <b>@@displayNameForProperty@@</b>.";
-	"InvalidDateFormatException" = "Der Wert <b>@@value@@</b> in <b>@@displayNameForProperty@@</b> ist kein g\U00fcltiges Datum.";
+	"IllegalCharacterInNumberException" = "Bitte \U00fcberpr\U00fcfen Sie den Wert <b>@@escapedValue@@</b> in <b>@@displayNameForProperty@@</b>.";
+	"InvalidDateFormatException" = "Der Wert <b>@@escapedValue@@</b> in <b>@@displayNameForProperty@@</b> ist kein g\U00fcltiges Datum.";
 	"InvalidNumberException" = "Dieser Wert ist keine Zahl.";
 	"MandatoryToManyRelationshipException" = "@@displayNameForProperty@@ m\U00fcssen gesetzt sein.";
 	"MandatoryToOneRelationshipException" = "@@displayNameForProperty@@ muss gesetzt sein.";
-	"NotANumberException" = "Der Wert <b>@@value@@</b> ist keine Zahl.";
+	"NotANumberException" = "Der Wert <b>@@escapedValue@@</b> ist keine Zahl.";
 	"NullPropertyException" = "Bitte f\U00fcllen Sie das Feld <b>@@displayNameForProperty@@</b> aus.";
 	"ObjectCannotBeDeletedException" = "Diese <b>@@displayNameForEntity@@</b> kann nicht gel\U00f6scht werden, weil Sie keine Rechte haben, diese <b>@@displayNameForEntity@@</b> direkt oder eines der verkn\U00fcpften Objekte dieser <b>@@displayNameForEntity@@</b> zu l\U00f6schen.";
 	"ObjectRemovalException" = "<b>@@displayNameForEntity@@</b> kann nicht gel\U00f6scht werden l\U00f6schen, solange noch <b>@@displayNameForProperty@@</b> gesetzt sind.";
diff --git a/Frameworks/Core/ERExtensions/Resources/Dutch.lproj/ValidationTemplate.strings b/Frameworks/Core/ERExtensions/Resources/Dutch.lproj/ValidationTemplate.strings
index fedfb35fb1a..eed8e15c8ee 100644
--- a/Frameworks/Core/ERExtensions/Resources/Dutch.lproj/ValidationTemplate.strings
+++ b/Frameworks/Core/ERExtensions/Resources/Dutch.lproj/ValidationTemplate.strings
@@ -1,7 +1,7 @@
 {
 	"EOObjectNotAvailableException" = "Dit gegeven is niet gevonden in de database. Het gegeven is  vermoedelijk verwijderd door iemand anders.";
 	"ExceedsMaximumLengthException" = "De waarde in <b>@@displayNameForProperty@@</b> is langer dan de maximale lengte van <b>@@attribute.width@@</b> tekens.";
-	"InvalidNumberException" = "Controleer <b>** KEY_MARKER **</b> aangezien @@value@@ een ongeldig getal is.";
+	"InvalidNumberException" = "Controleer <b>** KEY_MARKER **</b> aangezien @@escapedValue@@ een ongeldig getal is.";
 	"MandatoryToManyRelationshipException" = "<b>@@object.entityName@@</b> heeft een verplichte verbinding welke niet ingevuld is.";
 	"MandatoryToOneRelationshipException" = "Een <b>@@displayNameForEntity@@</b> moet een <b>@@displayNameForProperty@@</b> hebben.";
 	"NullPropertyException" = "Vul <b>** KEY_MARKER **</b> in.";
diff --git a/Frameworks/Core/ERExtensions/Resources/German.lproj/ValidationTemplate.strings b/Frameworks/Core/ERExtensions/Resources/German.lproj/ValidationTemplate.strings
index bc373363599..e29b5108f53 100644
--- a/Frameworks/Core/ERExtensions/Resources/German.lproj/ValidationTemplate.strings
+++ b/Frameworks/Core/ERExtensions/Resources/German.lproj/ValidationTemplate.strings
@@ -1,7 +1,7 @@
 {
 	"EOObjectNotAvailableException" = "This object was not found in the database. It was probably deleted by someone else.";
 	"ExceedsMaximumLengthException" = "The value entered for <b>@@displayNameForProperty@@</b> exceeds the length of <b>@@attribute.width@@</b>.";
-	"InvalidNumberException" = "Please check <b>@@displayNameForProperty@@</b> as @@value@@ is an invalid number.";
+	"InvalidNumberException" = "Please check <b>@@displayNameForProperty@@</b> as @@escapedValue@@ is an invalid number.";
 	"MandatoryToManyRelationshipException" = "The <b>@@object.entityName@@</b> must has a mandatory relationship which is not being satisfied.";
 	"MandatoryToOneRelationshipException" = "A <b>@@displayNameForEntity@@</b> must have a <b>@@displayNameForProperty@@</b>.";
 	"NullPropertyException" = "Please provide a <b>@@displayNameForProperty@@</b>.";
diff --git a/Frameworks/Core/ERExtensions/Sources/er/extensions/validation/ERXValidationException.java b/Frameworks/Core/ERExtensions/Sources/er/extensions/validation/ERXValidationException.java
index 7fc685739e6..678adaa1779 100644
--- a/Frameworks/Core/ERExtensions/Sources/er/extensions/validation/ERXValidationException.java
+++ b/Frameworks/Core/ERExtensions/Sources/er/extensions/validation/ERXValidationException.java
@@ -8,6 +8,7 @@
 
 import org.apache.log4j.Logger;
 
+import com.webobjects.appserver.WOMessage;
 import com.webobjects.eoaccess.EOAttribute;
 import com.webobjects.eoaccess.EOEntity;
 import com.webobjects.eoaccess.EOUtilities;
@@ -272,6 +273,16 @@ public EOAttribute attribute() {
      * @return failed validation value.
      */
     public Object value() { return value; }
+    
+    /**
+     * Provides an escaped value to use in validation template string.
+     */
+    public String escapedValue() {
+    	if(value() != null) {
+    		return WOMessage.stringByEscapingHTMLString(value().toString());
+    	}
+    	return null;
+    }
 
     /**
      * Sets the value that failed validation.
diff --git a/Frameworks/Misc/ERDivaliteLook/Resources/English.lproj/ValidationTemplate.strings b/Frameworks/Misc/ERDivaliteLook/Resources/English.lproj/ValidationTemplate.strings
index 4192f9fac1d..5a8ac228e18 100644
--- a/Frameworks/Misc/ERDivaliteLook/Resources/English.lproj/ValidationTemplate.strings
+++ b/Frameworks/Misc/ERDivaliteLook/Resources/English.lproj/ValidationTemplate.strings
@@ -1,10 +1,10 @@
 {
-	"IllegalCharacterInNumberException" = "Please check the value @@value@@ you supplied for the field @@displayNameForProperty@@.";
-	"InvalidDateFormatException" = "Please check @@displayNameForProperty@@ as @@value@@ is not a valid date";
+	"IllegalCharacterInNumberException" = "Please check the value @@escapedValue@@ you supplied for the field @@displayNameForProperty@@.";
+	"InvalidDateFormatException" = "Please check @@displayNameForProperty@@ as @@escapedValue@@ is not a valid date";
 	"InvalidNumberException" = "The value is an invalid number.";
 	"MandatoryToManyRelationshipException" = "A @@displayNameForEntity@@ must have a least one @@displayNameForDestinationEntity@@.";
 	"MandatoryToOneRelationshipException" = "A @@displayNameForEntity@@ must have a @@displayNameForProperty@@.";
-	"NotANumberException" = "Sorry, I could not read this number @@value@@ ";
+	"NotANumberException" = "Sorry, I could not read this number @@escapedValue@@ ";
 	"NullPropertyException" = "Please provide a @@displayNameForProperty@@.";
 	"ObjectCannotBeDeletedException" = "Cannot delete this @@displayNameForEntity@@ because either this @@displayNameForEntity@@ or any object related to this @@displayNameForEntity@@ cannot be deleted.";
 	"ObjectRemovalException" = "Cannot delete this @@displayNameForEntity@@. You should first delete the item in its @@displayNameForProperty@@.";