Author: jleroux
Date: Thu Jul 23 08:49:29 2015
New Revision: 1692359

URL: http://svn.apache.org/r1692359
Log:
The description attribute of the display-entity element is now escaped to 
prevent the risk of an XSS attack.

Modified:
    
ofbiz/branches/release13.07/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java

Modified: 
ofbiz/branches/release13.07/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java
URL: 
http://svn.apache.org/viewvc/ofbiz/branches/release13.07/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java?rev=1692359&r1=1692358&r2=1692359&view=diff
==============================================================================
--- 
ofbiz/branches/release13.07/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java
 (original)
+++ 
ofbiz/branches/release13.07/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java
 Thu Jul 23 08:49:29 2015
@@ -2210,8 +2210,17 @@ public class ModelFormField {
                 retVal = this.description.expandString(localContext, locale);
             }
             // try to get the entry for the field if description doesn't 
expand to anything
-            if (UtilValidate.isEmpty(retVal)) retVal = fieldValue;
-            if (UtilValidate.isEmpty(retVal)) retVal = "";
+            if (UtilValidate.isEmpty(retVal)) {
+                retVal = fieldValue;
+            } 
+            if (UtilValidate.isEmpty(retVal)) {
+                retVal = "";
+            } else if (this.getModelFormField().getEncodeOutput()) {
+                StringUtil.SimpleEncoder simpleEncoder = 
(StringUtil.SimpleEncoder) context.get("simpleEncoder");
+                if (simpleEncoder != null) {
+                    retVal = simpleEncoder.encode(retVal);
+                }
+            }
             return retVal;
         }
 


Reply via email to