You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@jspwiki.apache.org by br...@apache.org on 2022/11/24 09:25:11 UTC

[jspwiki] 05/08: XSS vulnerability reported by Eugene Lim and Sng Jay Kai.

This is an automated email from the ASF dual-hosted git repository.

brushed pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git

commit df20770f251a8d7431047e556b144ef24ee6a3a7
Author: brushed <di...@gmail.com>
AuthorDate: Thu Nov 24 10:19:53 2022 +0100

    XSS vulnerability reported by Eugene Lim and Sng Jay Kai.
---
 jspwiki-main/src/main/java/org/apache/wiki/plugin/Search.java | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/jspwiki-main/src/main/java/org/apache/wiki/plugin/Search.java b/jspwiki-main/src/main/java/org/apache/wiki/plugin/Search.java
index 2ee164274..2889e3e85 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/plugin/Search.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/plugin/Search.java
@@ -29,6 +29,7 @@ import org.apache.wiki.api.plugin.Plugin;
 import org.apache.wiki.api.search.SearchResult;
 import org.apache.wiki.render.RenderingManager;
 import org.apache.wiki.search.SearchManager;
+import org.apache.wiki.util.TextUtil;
 import org.apache.wiki.util.XHTML;
 import org.apache.wiki.util.XhtmlUtil;
 import org.jdom2.Element;
@@ -88,7 +89,7 @@ public class Search implements Plugin {
                 results = doBasicQuery( context, queryString );
                 context.setVariable( set, results );
             } catch( final Exception e ) {
-                return "<div class='error'>" + e.getMessage() + "</div>\n";
+                return "<div class='error'>" + TextUtil.replaceEntities(e.getMessage()) + "</div>\n";
             }
         }