LPS-123761 Escape both as HTML and attribute

liferay · Nov 24, 2020 · f13194d · f13194d
1 parent 47f4300
commit f13194d
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/...pps/redirect/redirect-web/src/main/resources/META-INF/resources/view_redirect_entries.jsp b/...pps/redirect/redirect-web/src/main/resources/META-INF/resources/view_redirect_entries.jsp
@@ -83,11 +83,11 @@ RedirectManagementToolbarDisplayContext redirectManagementToolbarDisplayContext
 					>
 
 						<%
-						String sourceURL = RedirectUtil.getGroupBaseURL(themeDisplay) + StringPool.SLASH + redirectEntry.getSourceURL();
+						String sourceURL = HtmlUtil.escape(RedirectUtil.getGroupBaseURL(themeDisplay) + StringPool.SLASH + redirectEntry.getSourceURL());
 						%>
 
-						<span data-title="<%= sourceURL %>">
-							<%= HtmlUtil.escape(sourceURL) %>
+						<span data-title="<%= HtmlUtil.escapeAttribute(sourceURL) %>">
+							<%= sourceURL %>
 						</span>
 					</liferay-ui:search-container-column-text>
 
@@ -100,7 +100,7 @@ RedirectManagementToolbarDisplayContext redirectManagementToolbarDisplayContext
 						String destinationURL = HtmlUtil.escape(redirectEntry.getDestinationURL());
 						%>
 
-						<span data-title="<%= destinationURL %>">
+						<span data-title="<%= HtmlUtil.escapeAttribute(destinationURL) %>">
 							<%= destinationURL %>
 						</span>
 					</liferay-ui:search-container-column-text>