1 files changed, 3 insertions, 2 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/ProtocolFinalizationController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/ProtocolFinalizationController.java
index 0f9b615a4..aebcf372e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/ProtocolFinalizationController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/ProtocolFinalizationController.java
@@ -27,6 +27,7 @@ import java.io.IOException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -51,7 +52,7 @@ public class ProtocolFinalizationController extends AbstractAuthProtocolModulCon
 	public void finalizeAuthProtocol(HttpServletRequest req, HttpServletResponse resp) throws MOAIDException, IOException {
 		
 		//read pendingRequest from http request
-		Object idObject = req.getParameter(PARAM_TARGET_PENDINGREQUESTID);
+		Object idObject = StringEscapeUtils.escapeHtml(req.getParameter(PARAM_TARGET_PENDINGREQUESTID));
 		IRequest pendingReq = null;
 		String pendingRequestID = null;
 		if (idObject != null && (idObject instanceof String)) {
@@ -61,7 +62,7 @@ public class ProtocolFinalizationController extends AbstractAuthProtocolModulCon
 		}
  				
 		//receive an authentication error
-		String errorid = req.getParameter(ERROR_CODE_PARAM);
+		String errorid = StringEscapeUtils.escapeHtml(req.getParameter(ERROR_CODE_PARAM));
 		if (errorid != null) {
 			try {				
 				//load stored exception from database