diff --git a/CHANGELOG.md b/CHANGELOG.md index 59966f092a..96c9f062a8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) ## [Unreleased] ### Fixed +- #1417 - Fixed xss vulnerabilities in generic lists - #1386 - Fixed ajax calls like undefined.2.json when hovering over parsys - #1301 - Fixed issue in MCP process forms where CoralUI bindings happened twice per form breaking some functionality (like file uploads). - #1401 - Added AEM 6.3 support for conditional hiding in edit dialogs diff --git a/content/src/main/content/jcr_root/apps/acs-commons/components/utilities/genericlist/body.jsp b/content/src/main/content/jcr_root/apps/acs-commons/components/utilities/genericlist/body.jsp index ba31ba6089..1ab0e7ebe0 100644 --- a/content/src/main/content/jcr_root/apps/acs-commons/components/utilities/genericlist/body.jsp +++ b/content/src/main/content/jcr_root/apps/acs-commons/components/utilities/genericlist/body.jsp @@ -21,7 +21,7 @@ -

Generic List - <%= currentPage.getTitle() %>

+

Generic List - <%= xssAPI.encodeForHTML(currentPage.getTitle()) %>

List Items:

@@ -29,4 +29,4 @@ - \ No newline at end of file + diff --git a/content/src/main/content/jcr_root/apps/acs-commons/components/utilities/genericlist/item/item.jsp b/content/src/main/content/jcr_root/apps/acs-commons/components/utilities/genericlist/item/item.jsp index 7119e3589e..763e60b9ab 100644 --- a/content/src/main/content/jcr_root/apps/acs-commons/components/utilities/genericlist/item/item.jsp +++ b/content/src/main/content/jcr_root/apps/acs-commons/components/utilities/genericlist/item/item.jsp @@ -28,7 +28,7 @@ if (title.equals("")) { %>Please enter a title <% } else { %> -Title: <%=title%>
-Value: <%=value%>
+Title: <%=xssAPI.encodeForHTML(title)%>
+Value: <%=xssAPI.encodeForHTML(value)%>
<% } %>