From c17adc200b0a83790f1f7eb47424d45402e8e676 Mon Sep 17 00:00:00 2001
From: tomas-muller <muller@unitime.org>
Date: Thu, 25 Jul 2024 17:11:03 +0200
Subject: [PATCH] Main page: message

- to prevent an XSS vulnerability, sanitize the message when provided as a parameter
- system and logout messages may still contain HTML tags
---
 JavaSource/org/unitime/timetable/action/MainAction.java | 5 ++++-
 WebContent/help/Release-Notes.xml                       | 9 +++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/JavaSource/org/unitime/timetable/action/MainAction.java b/JavaSource/org/unitime/timetable/action/MainAction.java
index c471f310d6..2ee6d5f122 100644
--- a/JavaSource/org/unitime/timetable/action/MainAction.java
+++ b/JavaSource/org/unitime/timetable/action/MainAction.java
@@ -21,6 +21,7 @@
 
 import java.io.IOException;
 
+import org.apache.commons.text.StringEscapeUtils;
 import org.apache.struts2.convention.annotation.Action;
 import org.apache.struts2.convention.annotation.Result;
 import org.apache.struts2.tiles.annotation.TilesDefinition;
@@ -78,7 +79,9 @@ public void printInitializationError() throws IOException {
 	}
 	
 	public String execute() throws Exception {
-		if (message == null)
+		if (message != null && !message.isEmpty())
+			message = StringEscapeUtils.escapeHtml4(message);
+		else if (message == null)
 			message = getSystemMessage();
 		if ("cas-logout".equals(op)) {
 			message = MSG.casLoggedOut();
diff --git a/WebContent/help/Release-Notes.xml b/WebContent/help/Release-Notes.xml
index e7af3c2d7e..62a34c0d7f 100644
--- a/WebContent/help/Release-Notes.xml
+++ b/WebContent/help/Release-Notes.xml
@@ -37,6 +37,15 @@
 			</description>
 		</item>
 	</category>
+	<category>
+		<title>Other</title>
+		<item>
+			<name>Main page</name>
+			<description>
+				<line>To prevent an XSS vulnerability, sanitize the message when provided as a parameter.</line>
+			</description>
+		</item>
+	</category>
 </release>
 <release>
 	<version>4.7.109</version>