gatein SVN: r6677 - in epp/portal/branches/EPP_5_1_RH_Branch: portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component and 1 other directory. - gatein-commits

Monday, 20 June 2011


Author: theute
Date: 2011-06-20 07:16:54 -0400 (Mon, 20 Jun 2011)
New Revision: 6677

Modified:
   epp/portal/branches/EPP_5_1_RH_Branch/
  
epp/portal/branches/EPP_5_1_RH_Branch/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserInfoPortlet.gtmpl
Log:
JBEPP-847
GTNPORTAL-1830 Cross Site Scripting vulnerabilities in user forms for RH Branch


Property changes on: epp/portal/branches/EPP_5_1_RH_Branch
___________________________________________________________________
Modified: svn:mergeinfo
   - /epp/portal/branches/EPP_5_1_0_GA_JBEPP-795:5868
/portal/branches/branch-GTNPORTAL-1731:5668
   + /epp/portal/branches/EPP_5_1_0_GA_JBEPP-795:5868
/epp/portal/branches/EPP_5_1_Branch:6269
/portal/branches/branch-GTNPORTAL-1731:5668

Modified:
epp/portal/branches/EPP_5_1_RH_Branch/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserInfoPortlet.gtmpl
===================================================================
---
epp/portal/branches/EPP_5_1_RH_Branch/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserInfoPortlet.gtmpl	2011-06-20
09:13:44 UTC (rev 6676)
+++
epp/portal/branches/EPP_5_1_RH_Branch/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserInfoPortlet.gtmpl	2011-06-20
11:16:54 UTC (rev 6677)
@@ -1,16 +1,20 @@
 <%	
 	import org.exoplatform.services.organization.User;
-		
+	import org.gatein.common.text.EntityEncoder;
+	
 	def rcontext = _ctx.getRequestContext();
 	
 	String accountSetting =
"javascript:if(document.getElementById('UIMaskWorkspace'))
ajaxGet(eXo.env.server.createPortalURL('UIPortal', 'AccountSettings',
true));"
 %>
 <div class="UIUserInfoPortlet" id="$uicomponent.id">
 	<div class="Name">
-	<% if(rcontext.getRemoteUser() != null) { %>
-		<a
href="$accountSetting"><%=uicomponent.getUser().getFullName()%></a>
+	<% if(rcontext.getRemoteUser() != null) { 
+		EntityEncoder encoder = EntityEncoder.FULL;
+                fullName = encoder.encode(uicomponent.getUser().getFullName());
+	%>
+		<a href="$accountSetting"><%=fullName%></a>
 	<%} else {%>
 		<span></span>
 	<%}%>
 	</div>
-</div>
\ No newline at end of file
+</div>


    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

gatein SVN: r6677 - in epp/portal/branches/EPP_5_1_RH_Branch: portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component and 1 other directory.