You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jspwiki.apache.org by br...@apache.org on 2019/04/24 17:36:13 UTC
[jspwiki] branch master updated: 2.11.0-M4-git-06 [JSPWIKI-1109]
ReferredPagesPlugin with illegal characters
This is an automated email from the ASF dual-hosted git repository.
brushed pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git
The following commit(s) were added to refs/heads/master by this push:
new 46cd981 2.11.0-M4-git-06 [JSPWIKI-1109] ReferredPagesPlugin with illegal characters
46cd981 is described below
commit 46cd981dfb431730da3f9249f5db858aacf11e52
Author: brushed <di...@gmail.com>
AuthorDate: Wed Apr 24 19:36:00 2019 +0200
2.11.0-M4-git-06 [JSPWIKI-1109] ReferredPagesPlugin with illegal characters
---
ChangeLog | 7 +++++++
jspwiki-main/src/main/java/org/apache/wiki/Release.java | 2 +-
.../src/main/java/org/apache/wiki/plugin/ReferredPagesPlugin.java | 6 +++---
3 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 482edaa..f178c42 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2019-04-23 Dirk Frederickx (brushed AT apache DOT org)
+ * 2.11.0-M4-git-06
+
+ * [JSPWIKI-1109] ReferredPagesPlugin with illegal characters in parameters
+ causes XSS vulnerability
+
+2019-04-23 Dirk Frederickx (brushed AT apache DOT org)
+
* 2.11.0-M4-git-05
* [JSPWIKI-1108] interwiki links with illegal characters causes XSS vulnerability
diff --git a/jspwiki-main/src/main/java/org/apache/wiki/Release.java b/jspwiki-main/src/main/java/org/apache/wiki/Release.java
index f8b77be..6e288d6 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/Release.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/Release.java
@@ -72,7 +72,7 @@ public final class Release {
* <p>
* If the build identifier is empty, it is not added.
*/
- public static final String BUILD = "05";
+ public static final String BUILD = "06";
/**
* This is the generic version string you should use when printing out the version. It is of
diff --git a/jspwiki-main/src/main/java/org/apache/wiki/plugin/ReferredPagesPlugin.java b/jspwiki-main/src/main/java/org/apache/wiki/plugin/ReferredPagesPlugin.java
index a737f27..0d8059d 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/plugin/ReferredPagesPlugin.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/plugin/ReferredPagesPlugin.java
@@ -134,8 +134,8 @@ public class ReferredPagesPlugin implements WikiPlugin {
m_result.append("<div class=\"ReferredPagesPlugin\">\n");
m_result.append("<a class=\"wikipage\" href=\""+ href +
- "\" title=\"" + title +
- "\">" + rootname + "</a>\n");
+ "\" title=\"" + TextUtil.replaceEntities(title) +
+ "\">" + TextUtil.replaceEntities(rootname) + "</a>\n");
m_exists.add(rootname);
// pre compile all needed patterns
@@ -232,7 +232,7 @@ public class ReferredPagesPlugin implements WikiPlugin {
}
} else {
if( !isUL ) {
- isUL = true;
+ isUL = true;
m_result.append("<ul>\n");
}