Commit c784a6f2 authored by Dave Cridland's avatar Dave Cridland

OF-942 Reflected XSS in External Component Settings

parent d1bfea3b
...@@ -15,6 +15,7 @@ ...@@ -15,6 +15,7 @@
<%@ taglib uri="admin" prefix="admin" %> <%@ taglib uri="admin" prefix="admin" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %> <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %> <%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
<jsp:useBean id="webManager" class="org.jivesoftware.util.WebManager" /> <jsp:useBean id="webManager" class="org.jivesoftware.util.WebManager" />
<% webManager.init(request, response, session, application, out ); %> <% webManager.init(request, response, session, application, out ); %>
<% <%
...@@ -503,7 +504,7 @@ ...@@ -503,7 +504,7 @@
<tr valign="top"> <tr valign="top">
<td colspan="2"> <td colspan="2">
<label for="defaultSecret"><fmt:message key="component.settings.defaultSecret" /></label>&nbsp; <label for="defaultSecret"><fmt:message key="component.settings.defaultSecret" /></label>&nbsp;
<input type="text" size="15" maxlength="70" name="defaultSecret" id="defaultSecret" value="${defaultSecret}"/> <input type="text" size="15" maxlength="70" name="defaultSecret" id="defaultSecret" value="${fn:escapeXml(defaultSecret)}"/>
</td> </td>
</tr> </tr>
...@@ -574,13 +575,13 @@ ...@@ -574,13 +575,13 @@
<label for="componentAllowedSubdomain"><fmt:message key="component.settings.subdomain" /></label> <label for="componentAllowedSubdomain"><fmt:message key="component.settings.subdomain" /></label>
</td> </td>
<td> <td>
<input type="text" size="40" name="subdomain" id="componentAllowedSubdomain" value="${param.containsKey('componentAllowed') and not empty errors ? param[ 'subdomain' ] : ''}"/> <input type="text" size="40" name="subdomain" id="componentAllowedSubdomain" value="${fn:escapeXml(param.containsKey('componentAllowed') and not empty errors ? param[ 'subdomain' ] : '')}"/>
</td> </td>
<td nowrap width="1%"> <td nowrap width="1%">
<label for="componentAllowedSecret"><fmt:message key="component.settings.secret" /></label> <label for="componentAllowedSecret"><fmt:message key="component.settings.secret" /></label>
</td> </td>
<td> <td>
<input type="text" size="15" name="secret" id="componentAllowedSecret" value="${param.containsKey('componentAllowed') and not empty errors ? param[ 'secret' ] : ''}"/> <input type="text" size="15" name="secret" id="componentAllowedSecret" value="${fn:escapeXml(param.containsKey('componentAllowed') and not empty errors ? param[ 'secret' ] : '')}"/>
</td> </td>
</tr> </tr>
<tr align="center"> <tr align="center">
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment