Skip to content

Commit

Permalink
Main page: message
Browse files Browse the repository at this point in the history 
- sanitize the message when it was provided as a parameter
- this is to prevent XSS vulnerability such as
  UniTime/main.action?message=%3Cscript%3Ealert(%22test%22);%3C/script%3E

- system and logout messages may still contain HTML tags
  • Loading branch information
@tomas-muller
tomas-muller committed Jul 25, 2024
1 parent efd2ed6 commit fcd02bb
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion JavaSource/org/unitime/timetable/action/MainAction.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@

import java.io.IOException;

import org.apache.commons.text.StringEscapeUtils;
import org.apache.struts2.convention.annotation.Action;
import org.apache.struts2.convention.annotation.Result;
import org.apache.struts2.tiles.annotation.TilesDefinition;
Expand Down Expand Up @@ -78,7 +79,9 @@ public void printInitializationError() throws IOException {
}

public String execute() throws Exception {
if (message == null)
if (message != null && !message.isEmpty())
message = StringEscapeUtils.escapeHtml4(message);
else if (message == null)
message = getSystemMessage();
if ("cas-logout".equals(op)) {
message = MSG.casLoggedOut();
Expand Down

0 comments on commit fcd02bb

Please sign in to comment.