This is an automated email from the ASF dual-hosted git repository. brushed pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/jspwiki.git
commit 46e1ef7a595ca5cabf5ef184139910413f2024fc Author: brushed <[email protected]> AuthorDate: Thu Nov 24 10:19:40 2022 +0100 XSS vulnerability reported by Eugene Lim and Sng Jay Kai. --- jspwiki-main/src/main/java/org/apache/wiki/plugin/InsertPage.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/jspwiki-main/src/main/java/org/apache/wiki/plugin/InsertPage.java b/jspwiki-main/src/main/java/org/apache/wiki/plugin/InsertPage.java index b8e717990..fa192e5d8 100644 --- a/jspwiki-main/src/main/java/org/apache/wiki/plugin/InsertPage.java +++ b/jspwiki-main/src/main/java/org/apache/wiki/plugin/InsertPage.java @@ -87,9 +87,9 @@ public class InsertPage implements Plugin { final StringBuilder res = new StringBuilder(); - final String clazz = params.get( PARAM_CLASS ); - final String includedPage = params.get( PARAM_PAGENAME ); - String style = params.get( PARAM_STYLE ); + final String clazz = TextUtil.replaceEntities(params.get( PARAM_CLASS )); + final String includedPage = TextUtil.replaceEntities(params.get( PARAM_PAGENAME )); + String style = TextUtil.replaceEntities(params.get( PARAM_STYLE )); final boolean showOnce = "once".equals( params.get( PARAM_SHOW ) ); final String defaultstr = params.get( PARAM_DEFAULT ); final int section = TextUtil.parseIntParameter(params.get( PARAM_SECTION ), -1 );
