From fe2b86b681455ac975b294652064b2718d4e2ba2 Mon Sep 17 00:00:00 2001
From: Sebastiaan Janssen <sebastiaan@umbraco.com>
Date: Fri, 6 Oct 2017 14:38:07 +0200
Subject: [PATCH] Html encode nodenames to prevent XSS attacks. Fixes U4-10497
 XSS Vulnerability in page name.

---
 src/Umbraco.Web.UI/umbraco/dialogs/Publish.aspx.cs              | 2 +-
 .../umbraco.presentation/umbraco/dialogs/notifications.aspx.cs  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Umbraco.Web.UI/umbraco/dialogs/Publish.aspx.cs b/src/Umbraco.Web.UI/umbraco/dialogs/Publish.aspx.cs
index 7e09d0b4251a..ababea628aa8 100644
--- a/src/Umbraco.Web.UI/umbraco/dialogs/Publish.aspx.cs
+++ b/src/Umbraco.Web.UI/umbraco/dialogs/Publish.aspx.cs
@@ -30,7 +30,7 @@ protected override void OnInit(EventArgs e)
             }
 
             DocumentId = doc.Id;
-            PageName = doc.Name;
+            PageName = Server.HtmlEncode(doc.Name);
             DocumentPath = doc.Path;
 
         }
diff --git a/src/Umbraco.Web/umbraco.presentation/umbraco/dialogs/notifications.aspx.cs b/src/Umbraco.Web/umbraco.presentation/umbraco/dialogs/notifications.aspx.cs
index 70137da92060..195ac15ec80e 100644
--- a/src/Umbraco.Web/umbraco.presentation/umbraco/dialogs/notifications.aspx.cs
+++ b/src/Umbraco.Web/umbraco.presentation/umbraco/dialogs/notifications.aspx.cs
@@ -27,7 +27,7 @@ public notifications()
         protected void Page_Load(object sender, EventArgs e)
         {
             Button1.Text = ui.Text("update");
-            pane_form.Text = ui.Text("notifications", "editNotifications", node.Text, base.getUser());
+            pane_form.Text = ui.Text("notifications", "editNotifications", Server.HtmlEncode(node.Text), base.getUser());
         }
 
         #region Web Form Designer generated code