-
Dave Cridland authored
The subdomain parameter in external-components-settings.jsp was reflected in both cases in the deletion URI as an unencoded parameter. Originally discovered by Simon Waters, then this case found by Florian Nivette of Sysdream. Fix is twofold: * The parameter is now encoded on output, the deletion URI is now set using the JSP tags instead of string construction. * The subdomain parameter is validated on input, making it difficult to inject script elements etc.
b44bf488