[Spacewalk-devel] [PATCH] Fix html not being escaped in package information

Mon, 05 Aug 2013 07:15:59 -0700 

Hello,

here is another small bugfix patch fixing HTML not being properly escaped
in package description on this page:

https://<hostname>/rhn/software/packages/Details.do?pid=<pid>

Found that with a package where there was an email address in "<...>"
notation that didn't show up.

Thanks and regards,
Johannes

-- 
SUSE LINUX Products GmbH, HRB 16746 (AG Nürnberg)
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer

>From 63be1b2d99b4a594e3cd198565ea5a13197aae87 Mon Sep 17 00:00:00 2001
From: Johannes Renner <jren...@suse.de>
Date: Mon, 5 Aug 2013 15:42:53 +0200
Subject: [PATCH] Fix HTML not being escaped in package information

---
 .../redhat/rhn/frontend/action/rhnpackage/PackageDetailsAction.java  | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/java/code/src/com/redhat/rhn/frontend/action/rhnpackage/PackageDetailsAction.java b/java/code/src/com/redhat/rhn/frontend/action/rhnpackage/PackageDetailsAction.java
index b94830c..cf9f7f8 100644
--- a/java/code/src/com/redhat/rhn/frontend/action/rhnpackage/PackageDetailsAction.java
+++ b/java/code/src/com/redhat/rhn/frontend/action/rhnpackage/PackageDetailsAction.java
@@ -30,6 +30,7 @@ import com.redhat.rhn.frontend.xmlrpc.NoSuchPackageException;
 import com.redhat.rhn.manager.download.DownloadManager;
 import com.redhat.rhn.manager.rhnpackage.PackageManager;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.struts.action.ActionForm;
 import org.apache.struts.action.ActionForward;
 import org.apache.struts.action.ActionMapping;
@@ -125,8 +126,8 @@ public class PackageDetailsAction extends RhnAction {
             request.setAttribute("pack", pkg);
             // description can be null.
             if (pkg.getDescription() != null) {
-                request.setAttribute("description",
-                        pkg.getDescription().replace("\n", "<BR>\n"));
+                String description = StringEscapeUtils.escapeHtml(pkg.getDescription());
+                request.setAttribute("description", description.replace("\n", "<BR>\n"));
             }
             else {
                 request.setAttribute("description",
-- 
1.8.1.4


_______________________________________________
Spacewalk-devel mailing list
Spacewalk-devel@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-devel

Reply via email to