Main page: message

- to prevent an XSS vulnerability, sanitize the message when provided as a parameter - system and logout messages may still contain HTML tags
UniTime · Jul 25, 2024 · c17adc2 · c17adc2
1 parent 07b2e9c
commit c17adc2
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/JavaSource/org/unitime/timetable/action/MainAction.java b/JavaSource/org/unitime/timetable/action/MainAction.java
@@ -21,6 +21,7 @@
 
 import java.io.IOException;
 
+import org.apache.commons.text.StringEscapeUtils;
 import org.apache.struts2.convention.annotation.Action;
 import org.apache.struts2.convention.annotation.Result;
 import org.apache.struts2.tiles.annotation.TilesDefinition;
@@ -78,7 +79,9 @@ public void printInitializationError() throws IOException {
 	}
 
 	public String execute() throws Exception {
-		if (message == null)
+		if (message != null && !message.isEmpty())
+			message = StringEscapeUtils.escapeHtml4(message);
+		else if (message == null)
 			message = getSystemMessage();
 		if ("cas-logout".equals(op)) {
 			message = MSG.casLoggedOut();

diff --git a/WebContent/help/Release-Notes.xml b/WebContent/help/Release-Notes.xml
@@ -37,6 +37,15 @@
 			</description>
 		</item>
 	</category>
+	<category>
+		<title>Other</title>
+		<item>
+			<name>Main page</name>
+			<description>
+				<line>To prevent an XSS vulnerability, sanitize the message when provided as a parameter.</line>
+			</description>
+		</item>
+	</category>
 </release>
 <release>
 	<version>4.7.109</version>