svn commit: r1818482 - /ofbiz/branches/release16.11/specialpurpose/birt/webapp/birt/webcontent/birt/pages/common/Attributes.jsp

Author: taher
Date: Sun Dec 17 12:00:50 2017
New Revision: 1818482

URL: http://svn.apache.org/viewvc?rev=1818482&view=rev
Log:
Implemented: enforce html encoding of request-strings passed to birt

Modified:
    ofbiz/branches/release16.11/specialpurpose/birt/webapp/birt/webcontent/birt/pages/common/Attributes.jsp

Modified: ofbiz/branches/release16.11/specialpurpose/birt/webapp/birt/webcontent/birt/pages/common/Attributes.jsp
URL: http://svn.apache.org/viewvc/ofbiz/branches/release16.11/specialpurpose/birt/webapp/birt/webcontent/birt/pages/common/Attributes.jsp?rev=1818482&r1=1818481&r2=1818482&view=diff
==============================================================================
--- ofbiz/branches/release16.11/specialpurpose/birt/webapp/birt/webcontent/birt/pages/common/Attributes.jsp (original)
+++ ofbiz/branches/release16.11/specialpurpose/birt/webapp/birt/webcontent/birt/pages/common/Attributes.jsp Sun Dec 17 12:00:50 2017
@@ -13,7 +13,7 @@
  {
  Constants.request = {};
  }
- Constants.request.format = '<%= ParameterAccessor.getFormat(request) %>';
+ Constants.request.format = '<%= ParameterAccessor.htmlEncode(ParameterAccessor.getFormat(request)) %>';
  Constants.request.rtl = <%= ParameterAccessor.isRtl( request ) %>;
  Constants.request.isDesigner = <%= ParameterAccessor.isDesigner() %>;
  Constants.request.servletPath = "<%= request.getAttribute( "ServletPath" ) %>".substr(1);