From fcd02bb611368ca7fa324339a665743c1086897d Mon Sep 17 00:00:00 2001
From: tomas-muller <muller@unitime.org>
Date: Thu, 25 Jul 2024 17:11:03 +0200
Subject: [PATCH] Main page: message

- sanitize the message when it was provided as a parameter
- this is to prevent XSS vulnerability such as
  UniTime/main.action?message=%3Cscript%3Ealert(%22test%22);%3C/script%3E

- system and logout messages may still contain HTML tags
---
 JavaSource/org/unitime/timetable/action/MainAction.java | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/JavaSource/org/unitime/timetable/action/MainAction.java b/JavaSource/org/unitime/timetable/action/MainAction.java
index 45eb536dee..f43e24a294 100644
--- a/JavaSource/org/unitime/timetable/action/MainAction.java
+++ b/JavaSource/org/unitime/timetable/action/MainAction.java
@@ -21,6 +21,7 @@
 
 import java.io.IOException;
 
+import org.apache.commons.text.StringEscapeUtils;
 import org.apache.struts2.convention.annotation.Action;
 import org.apache.struts2.convention.annotation.Result;
 import org.apache.struts2.tiles.annotation.TilesDefinition;
@@ -78,7 +79,9 @@ public void printInitializationError() throws IOException {
 	}
 	
 	public String execute() throws Exception {
-		if (message == null)
+		if (message != null && !message.isEmpty())
+			message = StringEscapeUtils.escapeHtml4(message);
+		else if (message == null)
 			message = getSystemMessage();
 		if ("cas-logout".equals(op)) {
 			message = MSG.casLoggedOut();