Skip to content
This repository has been archived by the owner on May 9, 2020. It is now read-only.

Commit

Permalink
Applied fix from trunk for revision: 1432392
Browse files Browse the repository at this point in the history 
===

The content of the Screenlet title is now escaped to prevent the risk of an XSS attack.


git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release10.04@1432397 13f79535-47bb-0310-9956-ffa450edef68
  • Loading branch information
@jacopoc
jacopoc committed Jan 12, 2013
1 parent 51457b0 commit bac5490
Showing 1 changed file with 6 additions and 1 deletion.
7 changes: 6 additions & 1 deletion framework/widget/src/org/ofbiz/widget/screen/ModelScreenWidget.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -449,7 +449,12 @@ public String getId(Map<String, Object> context) {
}

public String getTitle(Map<String, Object> context) {
return this.titleExdr.expandString(context);
String title = this.titleExdr.expandString(context);
StringUtil.SimpleEncoder simpleEncoder = (StringUtil.SimpleEncoder) context.get("simpleEncoder");
if (simpleEncoder != null) {
title = simpleEncoder.encode(title);
}
return title;
}

public Menu getNavigationMenu() {
Expand Down

0 comments on commit bac5490

Please sign in to comment.