Author: hfnukal Date: 2011-04-18 11:03:52 -0400 (Mon, 18 Apr 2011) New Revision: 6269 Modified: epp/portal/branches/EPP_5_1_Branch/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserInfoPortlet.gtmpl Log: JBEPP-847 Cross Site Scripting vulnerabilities in user forms Modified: epp/portal/branches/EPP_5_1_Branch/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserInfoPortlet.gtmpl =================================================================== --- epp/portal/branches/EPP_5_1_Branch/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserInfoPortlet.gtmpl 2011-04-18 14:41:18 UTC (rev 6268) +++ epp/portal/branches/EPP_5_1_Branch/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserInfoPortlet.gtmpl 2011-04-18 15:03:52 UTC (rev 6269) @@ -1,16 +1,20 @@ <% import org.exoplatform.services.organization.User; - + import org.gatein.common.text.EntityEncoder; + def rcontext = _ctx.getRequestContext(); String accountSetting = "javascript:if(document.getElementById('UIMaskWorkspace')) ajaxGet(eXo.env.server.createPortalURL('UIPortal', 'AccountSettings', true));" %> <div class="UIUserInfoPortlet" id="$uicomponent.id"> <div class="Name"> - <% if(rcontext.getRemoteUser() != null) { %> - <a href="$accountSetting"><%=uicomponent.getUser().getFullName()%></a> + <% if(rcontext.getRemoteUser() != null) { + EntityEncoder encoder = EntityEncoder.FULL; + fullName = encoder.encode(uicomponent.getUser().getFullName()); + %> + <a href="$accountSetting"><%=fullName%></a> <%} else {%> <span></span> <%}%> </div> -</div> \ No newline at end of file +</div>