commit | b82bcd66878789dc34dbc45823cea41a1706b3a7 | [log] [tgz] |
---|---|---|
author | Jacopo Cappellato <jacopoc@apache.org> | Mon Jan 14 09:36:37 2013 +0000 |
committer | Jacopo Cappellato <jacopoc@apache.org> | Mon Jan 14 09:36:37 2013 +0000 |
tree | 821af6d3182c0745e44fa907eab28655bb54fcdf | |
parent | 598d31ecc55741476df8c553fd341dbcdcee2159 [diff] |
Applied fix from trunk for revision: 1432833 === CVE-2013-0177: The Image.alt is now escaped to prevent the risk of an XSS attack. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release11.04@1432850 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/framework/widget/src/org/ofbiz/widget/screen/ModelScreenWidget.java b/framework/widget/src/org/ofbiz/widget/screen/ModelScreenWidget.java index 06f323e..a1a8c01 100644 --- a/framework/widget/src/org/ofbiz/widget/screen/ModelScreenWidget.java +++ b/framework/widget/src/org/ofbiz/widget/screen/ModelScreenWidget.java
@@ -1554,7 +1554,12 @@ } public String getAlt(Map<String, Object> context) { - return this.alt.expandString(context); + String alt = this.alt.expandString(context); + StringUtil.SimpleEncoder simpleEncoder = (StringUtil.SimpleEncoder) context.get("simpleEncoder"); + if (simpleEncoder != null) { + alt = simpleEncoder.encode(alt); + } + return alt; } public String getUrlMode() {