From fe2a02ec2afcbe2d7b9d59a9969d05923813ffdf Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 13 Nov 2017 09:38:00 +0100 Subject: fix some open CrossSiteScripting paths --- .../java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'id/server/idserverlib/src/main/java') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java index 353261085..e68432e96 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java @@ -29,6 +29,7 @@ import java.io.StringWriter; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang.StringEscapeUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.bind.annotation.ExceptionHandler; @@ -248,7 +249,7 @@ public abstract class AbstractController extends MOAIDAuthConstants { null); //add errorcode and errormessage - config.putCustomParameter("errorMsg", msg); + config.putCustomParameter("errorMsg", StringEscapeUtils.escapeHtml(msg)); config.putCustomParameter("errorCode", errorCode); //add stacktrace if debug is enabled -- cgit v1.2.3