Author: jleroux
Date: Thu Jul 23 08:36:36 2015
New Revision: 1692357

URL: http://svn.apache.org/r1692357
Log:
The description attribute of the display-entity element is now escaped to 
prevent the risk of an XSS attack.

Modified:
    ofbiz/trunk/framework/widget/src/org/ofbiz/widget/model/ModelFormField.java

Modified: 
ofbiz/trunk/framework/widget/src/org/ofbiz/widget/model/ModelFormField.java
URL: 
http://svn.apache.org/viewvc/ofbiz/trunk/framework/widget/src/org/ofbiz/widget/model/ModelFormField.java?rev=1692357&r1=1692356&r2=1692357&view=diff
==============================================================================
--- ofbiz/trunk/framework/widget/src/org/ofbiz/widget/model/ModelFormField.java 
(original)
+++ ofbiz/trunk/framework/widget/src/org/ofbiz/widget/model/ModelFormField.java 
Thu Jul 23 08:36:36 2015
@@ -1338,10 +1338,17 @@ public class ModelFormField {
                 retVal = this.getDescription().expandString(localContext, 
locale);
             }
             // try to get the entry for the field if description doesn't 
expand to anything
-            if (UtilValidate.isEmpty(retVal))
+            if (UtilValidate.isEmpty(retVal)) {
                 retVal = fieldValue;
-            if (UtilValidate.isEmpty(retVal))
+            } 
+            if (UtilValidate.isEmpty(retVal)) {
                 retVal = "";
+            } else if (this.getModelFormField().getEncodeOutput()) {
+                UtilCodec.SimpleEncoder simpleEncoder = 
(UtilCodec.SimpleEncoder) context.get("simpleEncoder");
+                if (simpleEncoder != null) {
+                    retVal = simpleEncoder.encode(retVal);
+                }
+            }
             return retVal;
         }
 


Reply via email to