Author: thomas.heute(a)jboss.com
Date: 2010-11-01 12:15:31 -0400 (Mon, 01 Nov 2010)
New Revision: 4891
Modified:
portal/trunk/web/portal/src/main/webapp/groovy/webui/core/UIGrid.gtmpl
Log:
GTNPORTAL-1616: XSS issue in user creation page
Modified: portal/trunk/web/portal/src/main/webapp/groovy/webui/core/UIGrid.gtmpl
===================================================================
--- portal/trunk/web/portal/src/main/webapp/groovy/webui/core/UIGrid.gtmpl 2010-11-01
15:46:08 UTC (rev 4890)
+++ portal/trunk/web/portal/src/main/webapp/groovy/webui/core/UIGrid.gtmpl 2010-11-01
16:15:31 UTC (rev 4891)
@@ -3,6 +3,7 @@
import org.exoplatform.webui.form.UIForm;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
+ import org.gatein.common.text.EntityEncoder;
String[] beanFields = uicomponent.getBeanFields();
String[] beanActions = uicomponent.getBeanActions();
@@ -64,6 +65,7 @@
%>
<tr class="$rowClass">
<%
+ EntityEncoder encoder = EntityEncoder.FULL;
for (field in beanFields)
{
def fieldValue = uicomponent.getFieldValue(bean, field);
@@ -80,8 +82,8 @@
} else {
fieldValue = "";
}
- String value = fieldValue.toString();
- println "<td><div
class=\""+cssClass+"\"
title='$fieldValue'>"+fieldValue+"</div></td>";
+ String value = encoder.encode(fieldValue.toString());
+ println "<td><div
class=\""+cssClass+"\"
title='$value'>"+value+"</div></td>";
}
if (beanActions != null && beanActions.length > 0)
{
Show replies by date