[gatein-commits] gatein SVN: r6203 - portal/trunk/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component.

Author: theute Date: 2011-04-13 07:05:58 -0400 (Wed, 13 Apr 2011) New Revision: 6203 Modified: portal/trunk/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserInfoPortlet.gtmpl Log: GTNPORTAL-1830: Cross Site Scripting vulnerabilities in user forms Modified: portal/trunk/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserInfoPortlet.gtmpl =================================================================== --- portal/trunk/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserInfoPortlet.gtmpl 2011-04-13 10:26:26 UTC (rev 6202) +++ portal/trunk/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserInfoPortlet.gtmpl 2011-04-13 11:05:58 UTC (rev 6203) @@ -1,16 +1,20 @@ <% import org.exoplatform.services.organization.User; - + import org.gatein.common.text.EntityEncoder; + def rcontext = _ctx.getRequestContext(); String accountSetting = "javascript:if(document.getElementById('UIMaskWorkspace')) ajaxGet(eXo.env.server.createPortalURL('UIPortal', 'AccountSettings', true));" %> <div class="UIUserInfoPortlet" id="$uicomponent.id"> <div class="Name"> - <% if(rcontext.getRemoteUser() != null) { %> - <a href="$accountSetting"><%=uicomponent.getUser().getFullName()%></a> + <% if(rcontext.getRemoteUser() != null) { + EntityEncoder encoder = EntityEncoder.FULL; + fullName = encoder.encode(uicomponent.getUser().getFullName()); + %> + <a href="$accountSetting"><%=fullName%></a> <%} else {%> <span></span> <%}%> </div> -</div> \ No newline at end of file +</div>