You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2015/07/23 10:49:46 UTC
svn commit: r1692360 -
/ofbiz/branches/release12.04/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java
Author: jleroux
Date: Thu Jul 23 08:49:46 2015
New Revision: 1692360
URL: http://svn.apache.org/r1692360
Log:
The description attribute of the display-entity element is now escaped to prevent the risk of an XSS attack.
Modified:
ofbiz/branches/release12.04/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java
Modified: ofbiz/branches/release12.04/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java
URL: http://svn.apache.org/viewvc/ofbiz/branches/release12.04/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java?rev=1692360&r1=1692359&r2=1692360&view=diff
==============================================================================
--- ofbiz/branches/release12.04/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java (original)
+++ ofbiz/branches/release12.04/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java Thu Jul 23 08:49:46 2015
@@ -2201,8 +2201,17 @@ public class ModelFormField {
retVal = this.description.expandString(localContext, locale);
}
// try to get the entry for the field if description doesn't expand to anything
- if (UtilValidate.isEmpty(retVal)) retVal = fieldValue;
- if (UtilValidate.isEmpty(retVal)) retVal = "";
+ if (UtilValidate.isEmpty(retVal)) {
+ retVal = fieldValue;
+ }
+ if (UtilValidate.isEmpty(retVal)) {
+ retVal = "";
+ } else if (this.getModelFormField().getEncodeOutput()) {
+ StringUtil.SimpleEncoder simpleEncoder = (StringUtil.SimpleEncoder) context.get("simpleEncoder");
+ if (simpleEncoder != null) {
+ retVal = simpleEncoder.encode(retVal);
+ }
+ }
return retVal;
}