Author: hfnukal Date: 2011-05-09 09:32:31 -0400 (Mon, 09 May 2011) New Revision: 6451 Modified: epp/portal/branches/EPP_5_1_Branch/portlet/web/src/main/webapp/groovy/portal/webui/component/UILogoPortlet.gtmpl epp/portal/branches/EPP_5_1_Branch/web/portal/src/main/webapp/groovy/webui/organization/account/UIUserSelector.gtmpl Log: JBEPP-914 XSS issues with user's firstname and lastname Modified: epp/portal/branches/EPP_5_1_Branch/portlet/web/src/main/webapp/groovy/portal/webui/component/UILogoPortlet.gtmpl =================================================================== --- epp/portal/branches/EPP_5_1_Branch/portlet/web/src/main/webapp/groovy/portal/webui/component/UILogoPortlet.gtmpl 2011-05-06 14:32:47 UTC (rev 6450) +++ epp/portal/branches/EPP_5_1_Branch/portlet/web/src/main/webapp/groovy/portal/webui/component/UILogoPortlet.gtmpl 2011-05-09 13:32:31 UTC (rev 6451) @@ -2,6 +2,7 @@ import javax.portlet.PortletMode ; import org.exoplatform.portal.application.PortalRequestContext; import org.exoplatform.portal.webui.util.Util; + import org.gatein.common.text.EntityEncoder; def prContext = _ctx.getRequestContext().getParentAppRequestContext(); String signInAction = "if(document.getElementById('UIMaskWorkspace')) ajaxGet(eXo.env.server.createPortalURL('UIPortal', 'ShowLoginForm', true));" ; @@ -10,6 +11,8 @@ String accountSetting = "javascript:if(document.getElementById('UIMaskWorkspace')) ajaxGet(eXo.env.server.createPortalURL('UIPortal', 'AccountSettings', true));" String registerURI = Util.getPortalRequestContext().getPortalURI() + "register"; String navTitle = uicomponent.getNavigationTitle(); + EntityEncoder encoder = EntityEncoder.FULL; + navTitle = encoder.encode(navTitle); %> <div class="UILogoPortlet ClearFix" id="$uicomponent.id" > Modified: epp/portal/branches/EPP_5_1_Branch/web/portal/src/main/webapp/groovy/webui/organization/account/UIUserSelector.gtmpl =================================================================== --- epp/portal/branches/EPP_5_1_Branch/web/portal/src/main/webapp/groovy/webui/organization/account/UIUserSelector.gtmpl 2011-05-06 14:32:47 UTC (rev 6450) +++ epp/portal/branches/EPP_5_1_Branch/web/portal/src/main/webapp/groovy/webui/organization/account/UIUserSelector.gtmpl 2011-05-09 13:32:31 UTC (rev 6451) @@ -1,6 +1,9 @@ <% import org.exoplatform.services.organization.User; import org.exoplatform.webui.core.UIPopupWindow; + import org.gatein.common.text.EntityEncoder; + + EntityEncoder encoder = EntityEncoder.FULL; uiform.begin() def rcontext = _ctx.getRequestContext(); boolean isMulti = uicomponent.getMulti(); @@ -104,10 +107,10 @@ </div> </td> <% } %> - <% String userName = data.getUserName() != null ? data.getUserName() : ""; - String firstName = data.getFirstName() != null ? data.getFirstName() : ""; - String lastName = data.getLastName() != null ? data.getLastName() : ""; - String userEmail = data.getEmail() != null ? data.getEmail() : ""; + <% String userName = encoder.encode(data.getUserName() != null ? data.getUserName() : ""); + String firstName = encoder.encode(data.getFirstName() != null ? data.getFirstName() : ""); + String lastName = encoder.encode(data.getLastName() != null ? data.getLastName() : ""); + String userEmail = encoder.encode(data.getEmail() != null ? data.getEmail() : ""); %> <td><div class="Text" title='$userName'><%= userName %></div></td> <td><div class="Text" title="$firstName"><%= firstName %></div></td>