Am Montag, 31. Oktober 2005 11:12 schrieb Philipp Bracher: > JIRA is alive. Can you fill the bug report, please?
Done (MAGNOLIA-590). I can't attach files in Jira, so I posted the patch as comment. Looks ugly, source file had tabs instead of spaces and DOS line breaks. Here is the patch again. Other parts of Magnolia could also be affected where user input/output is not properly escaped. Oliver
--- search.jsp-822 Tue Nov 1 10:06:47 2005 +++ search.jsp Tue Nov 1 10:07:30 2005 @@ -2,7 +2,8 @@ xmlns:cms="urn:jsptld:cms-taglib" xmlns:cmsu="urn:jsptld:cms-util-taglib" xmlns:c="urn:jsptld:http://java.sun.com/jsp/jstl/core"; - xmlns:fmt="urn:jsptld:http://java.sun.com/jsp/jstl/fmt";> + xmlns:fmt="urn:jsptld:http://java.sun.com/jsp/jstl/fmt"; + xmlns:fn="urn:jsptld:http://java.sun.com/jsp/jstl/functions";> <jsp:directive.page contentType="text/html; charset=utf-8" /> <jsp:text> @@ -19,13 +20,13 @@ <c:import url="/templates/jsp/samples/global/columnMain.jsp" /> <form name="mgnlsearch" action=""><input id="query" name="query" - value="${param.query}" /> <input type="submit" name="search" + value="${fn:escapeXml(param.query)}" /> <input type="submit" name="search" value="search" /></form> <c:if test="${!empty(param.query)}"> <h1>Search results for:</h1> - <h2>${param.query}</h2> + <h2>${fn:escapeXml(param.query)}</h2> <cmsu:simpleSearch query="${param.query}" var="results" />
---------------------------------------------------------------- for list details see http://www.magnolia.info/en/magnolia/developer.html ----------------------------------------------------------------
