[jspwiki] 03/08: XSS vulnerability reported by Eugene Lim and Sng Jay Kai.

Thu, 24 Nov 2022 01:25:52 -0800 

This is an automated email from the ASF dual-hosted git repository.

brushed pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git

commit 9d6dbf911d52d724297e4e46c4b80649fb028ff9
Author: brushed <[email protected]>
AuthorDate: Thu Nov 24 10:19:31 2022 +0100

    XSS vulnerability reported by Eugene Lim and Sng Jay Kai.
---
 .../main/java/org/apache/wiki/plugin/CurrentTimePlugin.java    | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git 
a/jspwiki-main/src/main/java/org/apache/wiki/plugin/CurrentTimePlugin.java 
b/jspwiki-main/src/main/java/org/apache/wiki/plugin/CurrentTimePlugin.java
index 8d887be1f..7a8f6438c 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/plugin/CurrentTimePlugin.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/plugin/CurrentTimePlugin.java
@@ -1,4 +1,4 @@
-/* 
+/*
     Licensed to the Apache Software Foundation (ASF) under one
     or more contributor license agreements.  See the NOTICE file
     distributed with this work for additional information
@@ -14,7 +14,7 @@
     "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
     KIND, either express or implied.  See the License for the
     specific language governing permissions and limitations
-    under the License.  
+    under the License.
  */
 package org.apache.wiki.plugin;
 
@@ -23,6 +23,7 @@ import org.apache.wiki.api.exceptions.PluginException;
 import org.apache.wiki.api.plugin.Plugin;
 import org.apache.wiki.preferences.Preferences;
 import org.apache.wiki.preferences.Preferences.TimeFormat;
+import org.apache.wiki.util.TextUtil;
 
 import java.text.SimpleDateFormat;
 import java.util.Date;
@@ -32,7 +33,7 @@ import java.util.ResourceBundle;
 /**
  *  Just displays the current date and time.
  *  The time format is exactly like in the java.text.SimpleDateFormat class.
- *  
+ *
  *  <p>Parameters : </p>
  *  NONE
  *  @since 1.7.8
@@ -59,7 +60,8 @@ public class CurrentTimePlugin implements Plugin {
 
             final Date d = new Date();  // Now.
 
-            return fmt.format( d );
+            return TextUtil.replaceEntities( fmt.format( d ) );
+
         } catch( final IllegalArgumentException e ) {
             final ResourceBundle rb = Preferences.getBundle( context, 
Plugin.CORE_PLUGINS_RESOURCEBUNDLE );
             throw new PluginException( rb.getString( 
"currenttimeplugin.badformat" ) + e.getMessage() );

Reply via email to