Fix for XSS vulnerability Bug 546816

Reflected XSS vulnerability in the __format URL parameter It should also take care of the other parameters. tested with associate unit test. Signed-off-by: shiheng guan <guans@opentext.com>
eclipse-birt · Jul 24, 2019 · 91ef718 · 91ef718
1 parent d56caca
commit 91ef718
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/...report.viewer/birt/WEB-INF/classes/org/eclipse/birt/report/utility/ParameterAccessor.java b/...report.viewer/birt/WEB-INF/classes/org/eclipse/birt/report/utility/ParameterAccessor.java
@@ -2104,7 +2104,7 @@ public static String getParameter( HttpServletRequest request,
 			{
 			}
 		}
-		return request.getParameter( parameterName );
+		return htmlEncode( request.getParameter( parameterName ) );
 	}
 
 	/**
@@ -2258,7 +2258,7 @@ public static String decodeFilePath( HttpServletRequest request,
 		{
 			return null;
 		}
-
+		filePath = htmlDecode( filePath );
 		if ( isEncodedPaths( request ) )
 		{
 			return decodeBase64( filePath );