Author: jleroux
Date: Thu Jul 23 08:49:46 2015
New Revision: 1692360

URL: http://svn.apache.org/r1692360
Log:
The description attribute of the display-entity element is now escaped to 
prevent the risk of an XSS attack.

Modified:
    
ofbiz/branches/release12.04/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java

Modified: 
ofbiz/branches/release12.04/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java
URL: 
http://svn.apache.org/viewvc/ofbiz/branches/release12.04/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java?rev=1692360&r1=1692359&r2=1692360&view=diff
==============================================================================
--- 
ofbiz/branches/release12.04/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java
 (original)
+++ 
ofbiz/branches/release12.04/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java
 Thu Jul 23 08:49:46 2015
@@ -2201,8 +2201,17 @@ public class ModelFormField {
                 retVal = this.description.expandString(localContext, locale);
             }
             // try to get the entry for the field if description doesn't 
expand to anything
-            if (UtilValidate.isEmpty(retVal)) retVal = fieldValue;
-            if (UtilValidate.isEmpty(retVal)) retVal = "";
+            if (UtilValidate.isEmpty(retVal)) {
+                retVal = fieldValue;
+            } 
+            if (UtilValidate.isEmpty(retVal)) {
+                retVal = "";
+            } else if (this.getModelFormField().getEncodeOutput()) {
+                StringUtil.SimpleEncoder simpleEncoder = 
(StringUtil.SimpleEncoder) context.get("simpleEncoder");
+                if (simpleEncoder != null) {
+                    retVal = simpleEncoder.encode(retVal);
+                }
+            }
             return retVal;
         }
 


Reply via email to