Skip to content

Commit

Permalink
Main page: message
Browse files Browse the repository at this point in the history 
- enable HTML escaping for the message parameter
- this is to prevent XSS vulnerability such as
  UniTime/main.action?message=%3Cscript%3Ealert(%22test%22);%3C/script%3E
  • Loading branch information
@tomas-muller
tomas-muller committed Jul 25, 2024
1 parent efd2ed6 commit d0a5e64
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion WebContent/main.jsp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@
<s:set var="showBackground" value="false"/>
<div class='messages'>
<div class='WelcomeRowHead'><loc:message name="sectSystemMessages"/></div>
<div class='message'><s:property value="message" escapeHtml="false"/></div>
<div class='message'><s:property value="message"/></div>
</div>
</s:if>
<tt:registration method="hasMessage">
Expand Down

0 comments on commit d0a5e64

Please sign in to comment.