You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@ofbiz.apache.org by ja...@apache.org on 2013/01/14 09:33:05 UTC

svn commit: r1432833 - /ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/ModelScreenWidget.java

Author: jacopoc
Date: Mon Jan 14 08:33:04 2013
New Revision: 1432833

URL: http://svn.apache.org/viewvc?rev=1432833&view=rev
Log:
The Image.alt is now escaped to prevent the risk of an XSS attack.

Modified:
    ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/ModelScreenWidget.java

Modified: ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/ModelScreenWidget.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/ModelScreenWidget.java?rev=1432833&r1=1432832&r2=1432833&view=diff
==============================================================================
--- ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/ModelScreenWidget.java (original)
+++ ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/ModelScreenWidget.java Mon Jan 14 08:33:04 2013
@@ -1554,7 +1554,12 @@ public abstract class ModelScreenWidget 
         }
 
         public String getAlt(Map<String, Object> context) {
-            return this.alt.expandString(context);
+            String alt = this.alt.expandString(context);
+            StringUtil.SimpleEncoder simpleEncoder = (StringUtil.SimpleEncoder) context.get("simpleEncoder");
+            if (simpleEncoder != null) {
+                alt = simpleEncoder.encode(alt);
+            }
+            return alt;
         }
 
         public String getUrlMode() {