Skip to content

O
Openfire
Commit a7740154 authored by Tom Evans's avatar Tom Evans Committed by tevans
Browse files
Options

OF-595: Avoid script injection for security audit viewer in admin console (Peter Johnson). 

git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@13636 b35dd754-fafc-0310-a699-88a17e54d16e
parent 9ca43569
Hide whitespace changes
Inline Side-by-side
Showing with 2 additions and 1 deletion
src/web/security-audit-viewer.jsp
View file @ a7740154
...@@ -31,6 +31,7 @@ ...@@ -31,6 +31,7 @@
<%@ page import="java.text.SimpleDateFormat" %> <%@ page import="java.text.SimpleDateFormat" %>
<%@ page import="java.text.ParseException" %> <%@ page import="java.text.ParseException" %>
<%@ page import="org.jivesoftware.util.LocaleUtils" %> <%@ page import="org.jivesoftware.util.LocaleUtils" %>
<%@ page import="org.jivesoftware.util.StringUtils" %>
<%@ taglib uri="http://java.sun.com/jstl/core_rt" prefix="c" %> <%@ taglib uri="http://java.sun.com/jstl/core_rt" prefix="c" %>
<%@ taglib uri="http://java.sun.com/jstl/fmt_rt" prefix="fmt" %> <%@ taglib uri="http://java.sun.com/jstl/fmt_rt" prefix="fmt" %>
...@@ -172,7 +173,7 @@ ...@@ -172,7 +173,7 @@
<%= event.getSummary() %> <%= event.getSummary() %>
<% if (event.getDetails() != null) { %> <% if (event.getDetails() != null) { %>
&nbsp; <a href="" onclick="if (document.getElementById('details<%= event.getMsgID() %>').style.display == 'none') { document.getElementById('details<%= event.getMsgID() %>').style.display = 'block'; document.getElementById('label<%= event.getMsgID() %>').innerHTML = '<%= LocaleUtils.getLocalizedString("security.audit.viewer.hide_details")%>'; return false;} else { document.getElementById('details<%= event.getMsgID() %>').style.display = 'none'; document.getElementById('label<%= event.getMsgID() %>').innerHTML = '<%= LocaleUtils.getLocalizedString("security.audit.viewer.show_details")%>'; return false;}" id="label<%= event.getMsgID() %>"><fmt:message key="security.audit.viewer.show_details" /></a><br/> &nbsp; <a href="" onclick="if (document.getElementById('details<%= event.getMsgID() %>').style.display == 'none') { document.getElementById('details<%= event.getMsgID() %>').style.display = 'block'; document.getElementById('label<%= event.getMsgID() %>').innerHTML = '<%= LocaleUtils.getLocalizedString("security.audit.viewer.hide_details")%>'; return false;} else { document.getElementById('details<%= event.getMsgID() %>').style.display = 'none'; document.getElementById('label<%= event.getMsgID() %>').innerHTML = '<%= LocaleUtils.getLocalizedString("security.audit.viewer.show_details")%>'; return false;}" id="label<%= event.getMsgID() %>"><fmt:message key="security.audit.viewer.show_details" /></a><br/>
<pre id="details<%= event.getMsgID() %>" style="display:none; margin: 0px; padding: 1px;"><%= event.getDetails() %></pre> <pre id="details<%= event.getMsgID() %>" style="display:none; margin: 0px; padding: 1px;"><%= StringUtils.escapeHTMLTags(event.getDetails()) %></pre>
<% } %> <% } %>
</td> </td>
<td width="15%"> <td width="15%">
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023