From c323b989d2b3751fbb4a0b10aaac97423da47917 Mon Sep 17 00:00:00 2001
From: Tim Donohue <tim.donohue@lyrasis.org>
Date: Mon, 27 Jul 2020 14:42:56 -0500
Subject: [PATCH] Escape any HTML in user provided param.

---
 .../main/java/org/dspace/app/rest/OpenSearchController.java   | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/dspace-server-webapp/src/main/java/org/dspace/app/rest/OpenSearchController.java b/dspace-server-webapp/src/main/java/org/dspace/app/rest/OpenSearchController.java
index 42ad173f2e9e..62c6a9c5732c 100644
--- a/dspace-server-webapp/src/main/java/org/dspace/app/rest/OpenSearchController.java
+++ b/dspace-server-webapp/src/main/java/org/dspace/app/rest/OpenSearchController.java
@@ -34,6 +34,7 @@
 import org.dspace.content.service.CommunityService;
 import org.dspace.core.Context;
 import org.dspace.core.LogManager;
+import org.dspace.core.Utils;
 import org.dspace.discovery.DiscoverQuery;
 import org.dspace.discovery.DiscoverResult;
 import org.dspace.discovery.IndexableObject;
@@ -103,7 +104,8 @@ public void search(HttpServletRequest request,
 
             // do some sanity checking
             if (!openSearchService.getFormats().contains(format)) {
-                String err = "Format " + format + " is not supported.";
+                // Since we are returning error response as HTML, escape any HTML in "format" param
+                String err = "Format " + Utils.addEntities(format) + " is not supported.";
                 response.setContentType("text/html");
                 response.setContentLength(err.length());
                 response.getWriter().write(err);