commit b82bcd66878789dc34dbc45823cea41a1706b3a7
author Jacopo Cappellato <jacopoc@apache.org> Mon Jan 14 09:36:37 2013 +0000
committer Jacopo Cappellato <jacopoc@apache.org> Mon Jan 14 09:36:37 2013 +0000
tree 821af6d3182c0745e44fa907eab28655bb54fcdf
parent 598d31ecc55741476df8c553fd341dbcdcee2159

Applied fix from trunk for revision: 1432833 
===

CVE-2013-0177: The Image.alt is now escaped to prevent the risk of an XSS attack.



git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release11.04@1432850 13f79535-47bb-0310-9956-ffa450edef68

framework/widget/src/org/ofbiz/widget/screen/ModelScreenWidget.java

diff --git a/framework/widget/src/org/ofbiz/widget/screen/ModelScreenWidget.java b/framework/widget/src/org/ofbiz/widget/screen/ModelScreenWidget.java
index 06f323e..a1a8c01 100644
--- a/framework/widget/src/org/ofbiz/widget/screen/ModelScreenWidget.java
+++ b/framework/widget/src/org/ofbiz/widget/screen/ModelScreenWidget.java
@@ -1554,7 +1554,12 @@
         }
 
         public String getAlt(Map<String, Object> context) {
-            return this.alt.expandString(context);
+            String alt = this.alt.expandString(context);
+            StringUtil.SimpleEncoder simpleEncoder = (StringUtil.SimpleEncoder) context.get("simpleEncoder");
+            if (simpleEncoder != null) {
+                alt = simpleEncoder.encode(alt);
+            }
+            return alt;
         }
 
         public String getUrlMode() {