Author: jleroux
Date: Thu Jul 23 08:36:36 2015
New Revision: 1692357
URL:
http://svn.apache.org/r1692357Log:
The description attribute of the display-entity element is now escaped to prevent the risk of an XSS attack.
Modified:
ofbiz/trunk/framework/widget/src/org/ofbiz/widget/model/ModelFormField.java
Modified: ofbiz/trunk/framework/widget/src/org/ofbiz/widget/model/ModelFormField.java
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/widget/src/org/ofbiz/widget/model/ModelFormField.java?rev=1692357&r1=1692356&r2=1692357&view=diff==============================================================================
--- ofbiz/trunk/framework/widget/src/org/ofbiz/widget/model/ModelFormField.java (original)
+++ ofbiz/trunk/framework/widget/src/org/ofbiz/widget/model/ModelFormField.java Thu Jul 23 08:36:36 2015
@@ -1338,10 +1338,17 @@ public class ModelFormField {
retVal = this.getDescription().expandString(localContext, locale);
}
// try to get the entry for the field if description doesn't expand to anything
- if (UtilValidate.isEmpty(retVal))
+ if (UtilValidate.isEmpty(retVal)) {
retVal = fieldValue;
- if (UtilValidate.isEmpty(retVal))
+ }
+ if (UtilValidate.isEmpty(retVal)) {
retVal = "";
+ } else if (this.getModelFormField().getEncodeOutput()) {
+ UtilCodec.SimpleEncoder simpleEncoder = (UtilCodec.SimpleEncoder) context.get("simpleEncoder");
+ if (simpleEncoder != null) {
+ retVal = simpleEncoder.encode(retVal);
+ }
+ }
return retVal;
}
Locked
