OF-942 Reflected XSS in MUC room edit form

d1bfea3b · Dave Cridland · 1a3bf443 · d1bfea3b
Commit d1bfea3b authored Dec 11, 2015 by Dave Cridland
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

muc-room-edit-form.jsp src/web/muc-room-edit-form.jsp +2 -2

No files found.
--- a/src/web/muc-room-edit-form.jsp
+++ b/src/web/muc-room-edit-form.jsp
@@ -525,11 +525,11 @@
                </tr>
                 <tr>
                    <td><fmt:message key="muc.room.edit.form.required_password" />:</td>
-                    <td><input type="password" name="roomconfig_roomsecret" <% if(password != null) { %> value="<%= password %>" <% } %>></td>
+                    <td><input type="password" name="roomconfig_roomsecret" <% if(password != null) { %> value="<%= (password == null ? "" : StringUtils.escapeForXML(password)) %>" <% } %>></td>
                </tr>
                 <tr>
                    <td><fmt:message key="muc.room.edit.form.confirm_password" />:</td>
-                    <td><input type="password" name="roomconfig_roomsecret2" <% if(confirmPassword != null) { %> value="<%= confirmPassword %>" <% } %>>
+                    <td><input type="password" name="roomconfig_roomsecret2" <% if(confirmPassword != null) { %> value="<%= (confirmPassword == null ? "" : StringUtils.escapeForXML(confirmPassword)) %>" <% } %>>
                    </td>
                </tr>
                 <tr>