OF-1165 fixed Stored Cross-Site Scripting vulnerability

9c490364 · wroot · akrherz · 492ca16f · 9c490364 · 9c490364
Commit 9c490364 authored Jul 24, 2016 by wroot Committed by akrherz Jul 25, 2016
Showing with 8 additions and 3 deletions

changelog.html src/plugins/search/changelog.html +5 -0

plugin.xml src/plugins/search/plugin.xml +2 -2

advance-user-search.jsp src/plugins/search/src/web/advance-user-search.jsp +1 -1

No files found.
--- a/src/plugins/search/changelog.html
+++ b/src/plugins/search/changelog.html
@@ -44,6 +44,11 @@
 Search Plugin Changelog
 </h1>
+<p><b>1.7.1</b> -- July 24, 2016</p>
+<ul>
+    <li>[<a href='https://issues.igniterealtime.org/browse/OF-1165'>OF-1165</a>] - Fixed Stored Cross-Site Scripting vulnerability.</li>
+</ul>
 <p><b>1.7.0</b> -- October 12, 2015</p>
 <ul>
    <li>[<a href='http://www.igniterealtime.org/issues/browse/OF-953'>OF-953</a>] - Updated JSP libraries.</li>

--- a/src/plugins/search/plugin.xml
+++ b/src/plugins/search/plugin.xml
@@ -5,8 +5,8 @@
    <name>Search</name>
    <description>Provides support for Jabber Search (XEP-0055)</description>
    <author>Ryan Graham</author>
-    <version>1.7.0</version>
+    <version>1.7.1</version>
-    <date>10/12/2015</date>
+    <date>07/24/2016</date>
    <minServerVersion>4.0.0</minServerVersion>
    <adminconsole>

--- a/src/plugins/search/src/web/advance-user-search.jsp
+++ b/src/plugins/search/src/web/advance-user-search.jsp
@@ -164,7 +164,7 @@
           <a href="../../user-properties.jsp?username=<%= URLEncoder.encode(user.getUsername(), "UTF-8") %>"><%= JID.unescapeNode(user.getUsername()) %></a>
       </td>
       <td width="33">
-           <%= user.getName() %> &nbsp;
+           <%= StringUtils.escapeHTMLTags(user.getName()) %> &nbsp;
       </td>
       <td width="15%">
           <%= JiveGlobals.formatDate(user.getCreationDate()) %> &nbsp;