You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jspwiki.apache.org by br...@apache.org on 2022/11/24 09:25:10 UTC
[jspwiki] 04/08: XSS vulnerability reported by Eugene Lim and Sng Jay Kai.
This is an automated email from the ASF dual-hosted git repository.
brushed pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git
commit 46e1ef7a595ca5cabf5ef184139910413f2024fc
Author: brushed <di...@gmail.com>
AuthorDate: Thu Nov 24 10:19:40 2022 +0100
XSS vulnerability reported by Eugene Lim and Sng Jay Kai.
---
jspwiki-main/src/main/java/org/apache/wiki/plugin/InsertPage.java | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/jspwiki-main/src/main/java/org/apache/wiki/plugin/InsertPage.java b/jspwiki-main/src/main/java/org/apache/wiki/plugin/InsertPage.java
index b8e717990..fa192e5d8 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/plugin/InsertPage.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/plugin/InsertPage.java
@@ -87,9 +87,9 @@ public class InsertPage implements Plugin {
final StringBuilder res = new StringBuilder();
- final String clazz = params.get( PARAM_CLASS );
- final String includedPage = params.get( PARAM_PAGENAME );
- String style = params.get( PARAM_STYLE );
+ final String clazz = TextUtil.replaceEntities(params.get( PARAM_CLASS ));
+ final String includedPage = TextUtil.replaceEntities(params.get( PARAM_PAGENAME ));
+ String style = TextUtil.replaceEntities(params.get( PARAM_STYLE ));
final boolean showOnce = "once".equals( params.get( PARAM_SHOW ) );
final String defaultstr = params.get( PARAM_DEFAULT );
final int section = TextUtil.parseIntParameter(params.get( PARAM_SECTION ), -1 );