Escape request params to prevent XSS

web/src/main/java/org/fao/geonet/util/XslUtil.java

@@ -10,6 +10,7 @@
 import jeeves.server.ProfileManager;
 import jeeves.utils.Log;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.fao.geonet.constants.Geonet;
 import org.fao.geonet.kernel.search.LuceneSearcher;
 import org.fao.geonet.languages.IsoLanguagesMapper;
@@ -289,4 +290,13 @@ public static boolean match(Object src, Object pattern) {
 		return src.toString().matches(pattern.toString());
 	}
 
+    /**
+     * Escapes the characters in a String using HTML entities.
+     *
+     * @param str
+     * @return
+     */
+    public static String escapeForHtml(String str) {
+        return StringEscapeUtils.escapeHtml(str);
+    }
 }

web/src/main/webapp/xsl/main-page.xsl

@@ -1,6 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 	xmlns:exslt="http://exslt.org/common" xmlns:geonet="http://www.fao.org/geonetwork"
+    xmlns:java="java:org.fao.geonet.util.XslUtil"
 	exclude-result-prefixes="xsl exslt geonet">
 
 	<xsl:include href="main.xsl"/>
@@ -12,7 +13,7 @@
 		<xsl:call-template name="geoCssHeader"/>
 		<xsl:call-template name="ext-ux-css"/>
 	</xsl:template>
-	
+
 	<!--
 		additional scripts
 	-->
@@ -106,13 +107,10 @@
 
 		<script type="text/javascript" src="{/root/gui/url}/scripts/core/kernel/kernel.js"/><xsl:text>&#10;</xsl:text>
 
-		<xsl:variable name="wmc"><xsl:copy-of select="/root/request/wmc"/></xsl:variable>
-		<xsl:variable name="uuid"><xsl:copy-of select="/root/request/uuid"/></xsl:variable>
-		<xsl:variable name="id"><xsl:copy-of select="/root/request/id"/></xsl:variable>
-		<xsl:variable name="urlWMS"><xsl:copy-of select="/root/request/url"/></xsl:variable>
-		<xsl:variable name="typeWMS"><xsl:copy-of select="/root/request/type"/></xsl:variable>
-		<xsl:variable name="tab"><xsl:copy-of select="/root/request/tab"/></xsl:variable>
-		<xsl:variable name="search"><xsl:copy-of select="/root/request/search"/></xsl:variable>
+		<xsl:variable name="uuid"><xsl:value-of select="java:escapeForHtml(/root/request/uuid)" /></xsl:variable>
+		<xsl:variable name="id"><xsl:copy-of select="java:escapeForHtml(/root/request/id)"/></xsl:variable>
+		<xsl:variable name="tab"><xsl:copy-of select="java:escapeForHtml(/root/request/tab)"/></xsl:variable>
+		<xsl:variable name="search"><xsl:copy-of select="java:escapeForHtml(/root/request/search)"/></xsl:variable>
 
 		<script type="text/javascript">
 
@@ -338,23 +336,6 @@
 				if (id!='') {
 					gn_showSingleMetadata(id);
 				}
-
-				<!-- If a WMS server & layername(s) are passed, it will be opened 
-					 in the map viewer the large map viewer will also be opened -->
-				var urlWMS="<xsl:value-of select="$urlWMS"/>";
-				var typeWMS="<xsl:value-of select="$typeWMS"/>";
-				servicesWMS = new Array();
-				<xsl:for-each select="/root/request/service">
-					<xsl:text>servicesWMS.push("</xsl:text><xsl:value-of select="."/><xsl:text>");</xsl:text>
-				</xsl:for-each>
-				if (urlWMS!='') {
-				if (servicesWMS.length!=null || servicesWMS.length>0) {
-						if (typeWMS!='') {
-							imc_addServices(urlWMS, servicesWMS, typeWMS, im_servicesAdded);
-							openIntermap();
-						}
-					}
-				}
 			});
 
 			function initMapViewer() {