Html encode nodenames to prevent XSS attacks. Fixes U4-10497 XSS Vuln…

…erability in page name.
umbraco · Oct 6, 2017 · fe2b86b · fe2b86b
1 parent 368fec4
commit fe2b86b
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/src/Umbraco.Web.UI/umbraco/dialogs/Publish.aspx.cs b/src/Umbraco.Web.UI/umbraco/dialogs/Publish.aspx.cs
@@ -30,7 +30,7 @@ protected override void OnInit(EventArgs e)
             }
 
             DocumentId = doc.Id;
-            PageName = doc.Name;
+            PageName = Server.HtmlEncode(doc.Name);
             DocumentPath = doc.Path;
 
         }

diff --git a/src/Umbraco.Web/umbraco.presentation/umbraco/dialogs/notifications.aspx.cs b/src/Umbraco.Web/umbraco.presentation/umbraco/dialogs/notifications.aspx.cs
@@ -27,7 +27,7 @@ public notifications()
         protected void Page_Load(object sender, EventArgs e)
         {
             Button1.Text = ui.Text("update");
-            pane_form.Text = ui.Text("notifications", "editNotifications", node.Text, base.getUser());
+            pane_form.Text = ui.Text("notifications", "editNotifications", Server.HtmlEncode(node.Text), base.getUser());
         }
 
         #region Web Form Designer generated code