From b50a028e2f3593f8e1d026556b9022f6e2f3446f Mon Sep 17 00:00:00 2001
From: liangshiwei <shiwei.liang@volosoft.com>
Date: Fri, 27 Jan 2023 10:35:54 +0800
Subject: [PATCH] Fix cross site scripting (reflected) vulnerability in
 permission module

---
 .../AbpPermissionManagement/PermissionManagementModal.cshtml   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/permission-management/src/Volo.Abp.PermissionManagement.Web/Pages/AbpPermissionManagement/PermissionManagementModal.cshtml b/modules/permission-management/src/Volo.Abp.PermissionManagement.Web/Pages/AbpPermissionManagement/PermissionManagementModal.cshtml
index 4261721f82b..c1fb697308e 100644
--- a/modules/permission-management/src/Volo.Abp.PermissionManagement.Web/Pages/AbpPermissionManagement/PermissionManagementModal.cshtml
+++ b/modules/permission-management/src/Volo.Abp.PermissionManagement.Web/Pages/AbpPermissionManagement/PermissionManagementModal.cshtml
@@ -1,4 +1,5 @@
 @page
+@using System.Web;
 @using Microsoft.AspNetCore.Mvc.Localization
 @using Volo.Abp.AspNetCore.Mvc.UI.Bootstrap.TagHelpers.Modal
 @using Volo.Abp.Localization
@@ -12,7 +13,7 @@
 
 <form method="post" asp-page="/AbpPermissionManagement/PermissionManagementModal" data-script-class="abp.modals.PermissionManagement" id="PermissionManagementForm">
     <abp-modal size="Large">
-        <abp-modal-header title="@(L["Permissions"].Value) - @Model.EntityDisplayName"></abp-modal-header>
+        <abp-modal-header title="@(L["Permissions"].Value) - @(HttpUtility.HtmlEncode(Model.EntityDisplayName))"></abp-modal-header>
         <abp-modal-body class="custom-scroll-container">
             <abp-input asp-for="SelectAllInAllTabs" check-box-hidden-input-render-mode="CheckBoxHiddenInputRenderMode.None" label="@L["SelectAllInAllTabs"].Value"/>
             <hr class="mt-2 mb-2"/>