2.11.3-git-05 Weblog plugin xss protection

apache · Mar 28, 2022 · c5ff7ab · c5ff7ab
1 parent 67c270f
commit c5ff7ab
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 2 deletions.
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -17,6 +17,13 @@ specific language governing permissions and limitations
 under the License.
 -->
 
+**2022-03-28  Dirk Frederickx (brushed AT apache DOT org)**
+
+* _2.11.3-git-05_
+
+* Weblog plugin: sanities the plugin output to protect against Xss attacks.
+
+
 **2022-03-22  Juan Pablo Santos (juanpablo AT apache DOT org)**
 
 * _2.11.3-git-04_

diff --git a/jspwiki-api/src/main/java/org/apache/wiki/api/Release.java b/jspwiki-api/src/main/java/org/apache/wiki/api/Release.java
@@ -69,7 +69,7 @@ public final class Release {
      *  <p>
      *  If the build identifier is empty, it is not added.
      */
-    public static final String     BUILD         = "04";
+    public static final String     BUILD         = "05";
 
     /**
      *  This is the generic version string you should use when printing out the version.  It is of

diff --git a/jspwiki-main/src/main/java/org/apache/wiki/plugin/WeblogPlugin.java b/jspwiki-main/src/main/java/org/apache/wiki/plugin/WeblogPlugin.java
@@ -223,7 +223,7 @@ public String execute( final Context context, final Map< String, String > params
                 startTime.setTime( d );
                 stopTime.setTime( d );
             } catch( final ParseException e ) {
-                return "Illegal time format: "+startDay;
+                return "Illegal time format: "+ TextUtil.replaceEntities(startDay);
             }
         }