JSF SelectItems and escaping (xss)

Question

there is a selectOneMenu in my example with a f:selectItems-attribute. The select-items are resolved from my bean like this:

<h:selectOneMenu value="#{bean.value}">
    <f:selectItems value="#{bean.selectItems}" var="obj" itemValue="#{obj}" itemLabel="#{obj.name}"/>
</h:selectOneMenu>

The method getSelectItems() in my bean looks like that:

    public List<MyObject> getSelectItems() {
        List<MyObject> list = new LinkedList<MyObject>();

        MyObject obj = new MyObject("Peter");
        list.add(obj);

        return list;
    }

The objects that are displayed are simple objects with a attribute "name".

Nothing special up to this point. But now i change my method to that:

 public List<MyObject> getSelectItems() {
        List<MyObject> list = new LinkedList<MyObject>();

        MyObject obj = new MyObject("<script>alert('xss is bad');</script>");
        list.add(obj);

        return list;
    }

The javascript doesn´t get escaped by MenuRenderer-Class and my page shows me the alert-message.

Is there any cause why the default value of the escape-attribute of SelectItem is "false"? How can i fix that problem? (I use Mojarra 2.1.7)

Answer 1

The default should indeed not have been false. I've reported it as issue 2747.

In the meanwhile, add itemLabelEscaped="true" to escape it anyway.

<f:selectItems ... itemLabelEscaped="true" />

Note that this is only necessary when you're using GenericObjectSelectItems, i.e. when you're supplying a E[]/List<E>/Map<K, V> instead of List<SelectItem>/SelectItem[]. Also note that escaping is only absolutely mandatory when it concerns user-controlled input (which is fortunately very rarely the case in dropdown values).