Author: hfnukal
Date: 2011-04-19 11:20:35 -0400 (Tue, 19 Apr 2011)
New Revision: 6291
Modified:
epp/portal/branches/EPP_5_1_Branch/web/portal/src/main/webapp/groovy/webui/core/UIGrid.gtmpl
Log:
JBEPP-598 XSS issue in user creation page
Modified:
epp/portal/branches/EPP_5_1_Branch/web/portal/src/main/webapp/groovy/webui/core/UIGrid.gtmpl
===================================================================
---
epp/portal/branches/EPP_5_1_Branch/web/portal/src/main/webapp/groovy/webui/core/UIGrid.gtmpl 2011-04-19
15:13:30 UTC (rev 6290)
+++
epp/portal/branches/EPP_5_1_Branch/web/portal/src/main/webapp/groovy/webui/core/UIGrid.gtmpl 2011-04-19
15:20:35 UTC (rev 6291)
@@ -3,6 +3,7 @@
import org.exoplatform.webui.form.UIForm;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
+ import org.gatein.common.text.EntityEncoder;
String[] beanFields = uicomponent.getBeanFields();
String[] beanActions = uicomponent.getBeanActions();
@@ -64,6 +65,7 @@
%>
<tr class="$rowClass">
<%
+ EntityEncoder encoder = EntityEncoder.FULL;
for (field in beanFields)
{
def fieldValue = uicomponent.getFieldValue(bean, field);
@@ -80,8 +82,8 @@
} else {
fieldValue = "";
}
- String value = fieldValue.toString();
- println "<td><div
class=\""+cssClass+"\"
title='$fieldValue'>"+fieldValue+"</div></td>";
+ String value = encoder.encode(fieldValue.toString());
+ println "<td><div
class=\""+cssClass+"\"
title='$value'>"+value+"</div></td>";
}
if (beanActions != null && beanActions.length > 0)
{
Show replies by date