From 9d6dbf911d52d724297e4e46c4b80649fb028ff9 Mon Sep 17 00:00:00 2001 From: brushed Date: Thu, 24 Nov 2022 10:19:31 +0100 Subject: [PATCH] XSS vulnerability reported by Eugene Lim and Sng Jay Kai. --- .../java/org/apache/wiki/plugin/CurrentTimePlugin.java | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/jspwiki-main/src/main/java/org/apache/wiki/plugin/CurrentTimePlugin.java b/jspwiki-main/src/main/java/org/apache/wiki/plugin/CurrentTimePlugin.java index 8d887be1ff..7a8f6438cc 100644 --- a/jspwiki-main/src/main/java/org/apache/wiki/plugin/CurrentTimePlugin.java +++ b/jspwiki-main/src/main/java/org/apache/wiki/plugin/CurrentTimePlugin.java @@ -1,4 +1,4 @@ -/* +/* Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information @@ -14,7 +14,7 @@ Licensed to the Apache Software Foundation (ASF) under one "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations - under the License. + under the License. */ package org.apache.wiki.plugin; @@ -23,6 +23,7 @@ Licensed to the Apache Software Foundation (ASF) under one import org.apache.wiki.api.plugin.Plugin; import org.apache.wiki.preferences.Preferences; import org.apache.wiki.preferences.Preferences.TimeFormat; +import org.apache.wiki.util.TextUtil; import java.text.SimpleDateFormat; import java.util.Date; @@ -32,7 +33,7 @@ Licensed to the Apache Software Foundation (ASF) under one /** * Just displays the current date and time. * The time format is exactly like in the java.text.SimpleDateFormat class. - * + * *

Parameters :

* NONE * @since 1.7.8 @@ -59,7 +60,8 @@ public String execute( final Context context, final Map< String, String > params final Date d = new Date(); // Now. - return fmt.format( d ); + return TextUtil.replaceEntities( fmt.format( d ) ); + } catch( final IllegalArgumentException e ) { final ResourceBundle rb = Preferences.getBundle( context, Plugin.CORE_PLUGINS_RESOURCEBUNDLE ); throw new PluginException( rb.getString( "currenttimeplugin.badformat" ) + e.getMessage() );