svn commit: r1692360 - /ofbiz/branches/release12.04/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java

Author: jleroux
Date: Thu Jul 23 08:49:46 2015
New Revision: 1692360

URL: http://svn.apache.org/r1692360
Log:
The description attribute of the display-entity element is now escaped to prevent the risk of an XSS attack.

Modified:
    ofbiz/branches/release12.04/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java

Modified: ofbiz/branches/release12.04/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java
URL: http://svn.apache.org/viewvc/ofbiz/branches/release12.04/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java?rev=1692360&r1=1692359&r2=1692360&view=diff
==============================================================================
--- ofbiz/branches/release12.04/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java (original)
+++ ofbiz/branches/release12.04/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java Thu Jul 23 08:49:46 2015
@@ -2201,8 +2201,17 @@ public class ModelFormField {
                 retVal = this.description.expandString(localContext, locale);
             }
             // try to get the entry for the field if description doesn't expand to anything
-            if (UtilValidate.isEmpty(retVal)) retVal = fieldValue;
-            if (UtilValidate.isEmpty(retVal)) retVal = "";
+            if (UtilValidate.isEmpty(retVal)) {
+                retVal = fieldValue;
+            }
+            if (UtilValidate.isEmpty(retVal)) {
+                retVal = "";
+            } else if (this.getModelFormField().getEncodeOutput()) {
+                StringUtil.SimpleEncoder simpleEncoder = (StringUtil.SimpleEncoder) context.get("simpleEncoder");
+                if (simpleEncoder != null) {
+                    retVal = simpleEncoder.encode(retVal);
+                }
+            }
             return retVal;
         }