From fe2a02ec2afcbe2d7b9d59a9969d05923813ffdf Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Mon, 13 Nov 2017 09:38:00 +0100
Subject: fix some open CrossSiteScripting paths

---
 .../java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'id/server/idserverlib/src/main/java/at/gv')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
index 353261085..e68432e96 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
@@ -29,6 +29,7 @@ import java.io.StringWriter;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.ExceptionHandler;
 
@@ -248,7 +249,7 @@ public abstract class AbstractController extends MOAIDAuthConstants {
 					null);
 				
 			//add errorcode and errormessage
-			config.putCustomParameter("errorMsg", msg);
+			config.putCustomParameter("errorMsg", StringEscapeUtils.escapeHtml(msg));
 			config.putCustomParameter("errorCode", errorCode);
 		
 			//add stacktrace if debug is enabled
-- 
cgit v1.2.3