Skip to content

Commit

Permalink
AjaxButton: Fixed potential XSS - do not ignore escapeModelStrings flags
Browse files Browse the repository at this point in the history 
Signed-off-by: Tony Tkáčik <tonydamage@gmail.com>
  • Loading branch information
@tonydamage
tonydamage committed Sep 21, 2023
1 parent 123f66d commit e17a0e5
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/AjaxButton.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
import org.apache.wicket.markup.MarkupStream;
import org.apache.wicket.markup.parser.XmlTag;
import org.apache.wicket.model.IModel;
import org.apache.wicket.util.string.Strings;

/**
* @author lazyman
Expand All @@ -32,6 +33,10 @@ public AjaxButton(String id, IModel<String> model) {
public void onComponentTagBody(final MarkupStream markupStream, final ComponentTag openTag) {
String text = getModelObject();
if (StringUtils.isNotEmpty(text)) {
if (this.getEscapeModelStrings()) {
// Escape text iif escapeModel is enabled.
text = Strings.escapeMarkup(text, false, false).toString();
}
replaceComponentTagBody(markupStream, openTag, text);
return;
}
Expand Down

0 comments on commit e17a0e5

Please sign in to comment.