You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@jspwiki.apache.org by br...@apache.org on 2022/11/24 09:25:10 UTC

[jspwiki] 04/08: XSS vulnerability reported by Eugene Lim and Sng Jay Kai.

This is an automated email from the ASF dual-hosted git repository.

brushed pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git

commit 46e1ef7a595ca5cabf5ef184139910413f2024fc
Author: brushed <di...@gmail.com>
AuthorDate: Thu Nov 24 10:19:40 2022 +0100

    XSS vulnerability reported by Eugene Lim and Sng Jay Kai.
---
 jspwiki-main/src/main/java/org/apache/wiki/plugin/InsertPage.java | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/jspwiki-main/src/main/java/org/apache/wiki/plugin/InsertPage.java b/jspwiki-main/src/main/java/org/apache/wiki/plugin/InsertPage.java
index b8e717990..fa192e5d8 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/plugin/InsertPage.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/plugin/InsertPage.java
@@ -87,9 +87,9 @@ public class InsertPage implements Plugin {
 
         final StringBuilder res = new StringBuilder();
 
-        final String clazz        = params.get( PARAM_CLASS );
-        final String includedPage = params.get( PARAM_PAGENAME );
-        String style              = params.get( PARAM_STYLE );
+        final String clazz        = TextUtil.replaceEntities(params.get( PARAM_CLASS ));
+        final String includedPage = TextUtil.replaceEntities(params.get( PARAM_PAGENAME ));
+        String style              = TextUtil.replaceEntities(params.get( PARAM_STYLE ));
         final boolean showOnce    = "once".equals( params.get( PARAM_SHOW ) );
         final String defaultstr   = params.get( PARAM_DEFAULT );
         final int section         = TextUtil.parseIntParameter(params.get( PARAM_SECTION ), -1 );