cziegeler opened a new pull request, #65: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/65
Escapes the `consoleRoot` value using `StringEscapeUtils.escapeHtml4()` before embedding it into HTML output in the XSS Protection API Web Console Plugin, preventing a potential reflected XSS vulnerability. **Changes:** - In `renderContent()`: escape `consoleRoot` before using it in `LINK_TAG`, `SCRIPT_TAG`, and the config tab anchor href. - In `renderConfigContent()`: escape `consoleRoot` before using it in `SCRIPT_TAG`, `LINK_TAG` (prettify CSS), and `SCRIPT_TAG` (prettify JS). - Introduce a local `escapedConsoleRoot` variable in each method to avoid repeated escaping calls. Co-authored-by: Maia <maia@noreply> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
