Author: jacopoc
Date: Sat Jan 12 08:20:28 2013
New Revision: 1432397
URL:
http://svn.apache.org/viewvc?rev=1432397&view=revLog:
Applied fix from trunk for revision: 1432392
===
The content of the Screenlet title is now escaped to prevent the risk of an XSS attack.
Modified:
ofbiz/branches/release10.04/ (props changed)
ofbiz/branches/release10.04/framework/widget/src/org/ofbiz/widget/screen/ModelScreenWidget.java
Propchange: ofbiz/branches/release10.04/
------------------------------------------------------------------------------
Merged /ofbiz/trunk:r1432392
Modified: ofbiz/branches/release10.04/framework/widget/src/org/ofbiz/widget/screen/ModelScreenWidget.java
URL:
http://svn.apache.org/viewvc/ofbiz/branches/release10.04/framework/widget/src/org/ofbiz/widget/screen/ModelScreenWidget.java?rev=1432397&r1=1432396&r2=1432397&view=diff==============================================================================
--- ofbiz/branches/release10.04/framework/widget/src/org/ofbiz/widget/screen/ModelScreenWidget.java (original)
+++ ofbiz/branches/release10.04/framework/widget/src/org/ofbiz/widget/screen/ModelScreenWidget.java Sat Jan 12 08:20:28 2013
@@ -449,7 +449,12 @@ public abstract class ModelScreenWidget
}
public String getTitle(Map<String, Object> context) {
- return this.titleExdr.expandString(context);
+ String title = this.titleExdr.expandString(context);
+ StringUtil.SimpleEncoder simpleEncoder = (StringUtil.SimpleEncoder) context.get("simpleEncoder");
+ if (simpleEncoder != null) {
+ title = simpleEncoder.encode(title);
+ }
+ return title;
}
public Menu getNavigationMenu() {
Locked
