OF-393: Escape markup for group name/description in admin console (Peter Johnson)

git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@13634 b35dd754-fafc-0310-a699-88a17e54d16e

src/web/group-edit.jsp

@@ -29,6 +29,7 @@
 <%@ page import="org.jivesoftware.util.LocaleUtils"%>
 <%@ page import="org.jivesoftware.util.Log"%>
 <%@ page import="org.jivesoftware.util.ParamUtils"%>
+<%@ page import="org.jivesoftware.util.StringUtils"%>
 <%@ page import="org.xmpp.packet.JID"%>
 <%@ page import="org.xmpp.packet.Presence"%>
 <%@ page import="java.io.UnsupportedEncodingException"%>
@@ -338,10 +339,10 @@
         <% } %>
 
         <h3>
-			<%= group.getName() %>
+			<%= StringUtils.escapeHTMLTags(group.getName()) %>
 		</h3>
 		<p>
-			<%= group.getDescription() != null ? group.getDescription() : "" %>
+			<%= group.getDescription() != null ? StringUtils.escapeHTMLTags(group.getDescription()) : "" %>
 		</p>
     </div>
 	<!-- END group name and description -->
@@ -443,7 +444,7 @@
 
 											<option value="<%= URLEncoder.encode(g.getName(), "UTF-8") %>"
 											 <%= (contains(groupNames, g.getName()) ? "selected" : "") %>
-											 ><%= g.getName() %></option>
+											 ><%= StringUtils.escapeHTMLTags(g.getName()) %></option>
 
 										<%  } %>
 

src/web/group-summary.jsp

@@ -178,11 +178,11 @@ document.searchForm.search.focus();
             <%= i %>
         </td>
         <td width="60%">
-            <a href="group-edit.jsp?group=<%= groupName %>"><%= group.getName() %></a>
+            <a href="group-edit.jsp?group=<%= groupName %>"><%= StringUtils.escapeHTMLTags(group.getName()) %></a>
             <% if (group.getDescription() != null) { %>
             <br>
                 <span class="jive-description">
-                <%= group.getDescription() %>
+                <%= StringUtils.escapeHTMLTags(group.getDescription()) %>
                 </span>
              <% } %>
         </td>

src/web/user-properties.jsp

@@ -289,7 +289,7 @@
                         if (count != 0) {
                             out.print(", ");
                         }
-                        out.print(group.getName());
+                        out.print(StringUtils.escapeHTMLTags(group.getName()));
                         count++;
                     }
                 }

src/web/user-roster.jsp

@@ -25,6 +25,7 @@
 <%@ page import="org.jivesoftware.openfire.roster.Roster" %>
 <%@ page import="org.jivesoftware.openfire.roster.RosterItem" %>
 <%@ page import="org.jivesoftware.util.LocaleUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ page import="java.util.*" %>
 <%@ page import="org.jivesoftware.openfire.group.Group" %>
 <%@ page import="org.xmpp.packet.JID" %>
@@ -308,7 +309,7 @@
                         if (count != 0) {
                             out.print(", ");
                         }
-                        out.print(group);
+                        out.print(StringUtils.escapeHTMLTags(group));
                         count++;
                     }
                 }
@@ -320,7 +321,7 @@
                                 out.print(", ");
                             }
                             out.print("<a style='text-decoration: underline' href='group-edit.jsp?group="+URLEncoder.encode(group.getName(), "UTF-8")+"'>");
-                            out.print(group.getName());
+                            out.print(StringUtils.escapeHTMLTags(group.getName()));
                             out.print("</a>");
                             count++;
                         }