[gatein-commits] gatein SVN: r6203 - portal/trunk/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component.
do-not-reply at jboss.org
do-not-reply at jboss.org
Wed Apr 13 07:05:59 EDT 2011
Author: theute
Date: 2011-04-13 07:05:58 -0400 (Wed, 13 Apr 2011)
New Revision: 6203
Modified:
portal/trunk/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserInfoPortlet.gtmpl
Log:
GTNPORTAL-1830: Cross Site Scripting vulnerabilities in user forms
Modified: portal/trunk/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserInfoPortlet.gtmpl
===================================================================
--- portal/trunk/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserInfoPortlet.gtmpl 2011-04-13 10:26:26 UTC (rev 6202)
+++ portal/trunk/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserInfoPortlet.gtmpl 2011-04-13 11:05:58 UTC (rev 6203)
@@ -1,16 +1,20 @@
<%
import org.exoplatform.services.organization.User;
-
+ import org.gatein.common.text.EntityEncoder;
+
def rcontext = _ctx.getRequestContext();
String accountSetting = "javascript:if(document.getElementById('UIMaskWorkspace')) ajaxGet(eXo.env.server.createPortalURL('UIPortal', 'AccountSettings', true));"
%>
<div class="UIUserInfoPortlet" id="$uicomponent.id">
<div class="Name">
- <% if(rcontext.getRemoteUser() != null) { %>
- <a href="$accountSetting"><%=uicomponent.getUser().getFullName()%></a>
+ <% if(rcontext.getRemoteUser() != null) {
+ EntityEncoder encoder = EntityEncoder.FULL;
+ fullName = encoder.encode(uicomponent.getUser().getFullName());
+ %>
+ <a href="$accountSetting"><%=fullName%></a>
<%} else {%>
<span></span>
<%}%>
</div>
-</div>
\ No newline at end of file
+</div>
More information about the gatein-commits
mailing list