OF-836 CVE-2015-6972 rXSS in audit-policy.jsp

36bb0e80 · Dave Cridland · 340f0fc9 · 36bb0e80
Commit 36bb0e80 authored Mar 23, 2016 by Dave Cridland
Show whitespace changes
Inline Side-by-side

Showing with 4 additions and 4 deletions

audit-policy.jsp src/web/audit-policy.jsp +4 -4

No files found.
--- a/src/web/audit-policy.jsp
+++ b/src/web/audit-policy.jsp
@@ -245,7 +245,7 @@
 						</td>
 						<td width="99%">
 							<input type="text" size="15" maxlength="50" name="maxTotalSize"
-							 value="<%= ((maxTotalSize != null) ? maxTotalSize : "") %>">
+							 value="<%= ((maxTotalSize != null) ? StringUtils.escapeForXML(maxTotalSize) : "") %>">

 						<%  if (errors.get("maxTotalSize") != null) { %>

@@ -263,7 +263,7 @@
 						</td>
 						<td width="99%">
 							<input type="text" size="15" maxlength="50" name="maxFileSize"
-							 value="<%= ((maxFileSize != null) ? maxFileSize : "") %>">
+							 value="<%= ((maxFileSize != null) ? StringUtils.escapeForXML(maxFileSize) : "") %>">

 						<%  if (errors.get("maxFileSize") != null) { %>

@@ -281,7 +281,7 @@
 						</td>
 						<td width="99%">
 							<input type="text" size="15" maxlength="50" name="maxDays"
-							 value="<%= ((maxDays != null) ? maxDays : "") %>">
+							 value="<%= ((maxDays != null) ? StringUtils.escapeForXML(maxDays) : "") %>">

 							<%  if (errors.get("maxDays") != null) { %>

@@ -299,7 +299,7 @@
 						</td>
 						<td width="99%">
 							<input type="text" size="15" maxlength="50" name="logTimeout"
-							 value="<%= ((logTimeout != null) ? logTimeout : "") %>">
+							 value="<%= ((logTimeout != null) ? StringUtils.escapeForXML(logTimeout) : "") %>">

 						<%  if (errors.get("logTimeout") != null) { %>