Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request #89 from The-Lady/EMPT110
RA-1875: EMPT110 Fixed XSS Vulnerability in AppId field on User App Page
  • Loading branch information
isears committed Apr 22, 2021
2 parents db4f80b + d9b44e7 commit 0410c09
Showing 1 changed file with 4 additions and 3 deletions.
Expand Up @@ -15,6 +15,7 @@

import javax.servlet.http.HttpSession;

import org.apache.commons.lang.StringEscapeUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.codehaus.jackson.map.ObjectMapper;
Expand Down Expand Up @@ -52,7 +53,7 @@ public void get(PageModel model, @RequestParam(value = "appId", required = false
public String post(PageModel model, @ModelAttribute(value = "appId") @BindParams UserApp userApp,
@RequestParam("action") String action,
@SpringBean("appFrameworkService") AppFrameworkService service, HttpSession session, UiUtils ui) {

try {
AppDescriptor descriptor = mapper.readValue(userApp.getJson(), AppDescriptor.class);
if (!userApp.getAppId().equals(descriptor.getId())) {
Expand All @@ -65,14 +66,14 @@ public String post(PageModel model, @ModelAttribute(value = "appId") @BindParams
service.saveUserApp(userApp);

InfoErrorMessageUtil.flashInfoMessage(session,
ui.message("referenceapplication.app.userApp.save.success", userApp.getAppId()));
ui.message("referenceapplication.app.userApp.save.success", StringEscapeUtils.escapeHtml(userApp.getAppId())));

return "redirect:/referenceapplication/manageApps.page";
}
}
catch (Exception e) {
session.setAttribute(UiCommonsConstants.SESSION_ATTRIBUTE_ERROR_MESSAGE,
ui.message("referenceapplication.app.userApp.save.fail", userApp.getAppId()));
ui.message("referenceapplication.app.userApp.save.fail", StringEscapeUtils.escapeHtml(userApp.getAppId())));
}

model.addAttribute("userApp", userApp);
Expand Down

0 comments on commit 0410c09

Please sign in to comment.