hazza/DSpace
1
0
Fork 0
mirror of https://github.com/DSpace/DSpace.git synced 2025-10-07 01:54:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Escape any HTML in user provided param.

Browse Source
This commit is contained in:
Tim Donohue
2020-07-27 14:42:56 -05:00
parent 53df081422
commit c323b989d2
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
dspace-server-webapp/src/main/java/org/dspace/app/rest/OpenSearchController.java
View File

@@ -34,6 +34,7 @@ import org.dspace.content.service.CollectionService;
import org.dspace.content.service.CommunityService; import org.dspace.content.service.CommunityService;
import org.dspace.core.Context; import org.dspace.core.Context;
import org.dspace.core.LogManager; import org.dspace.core.LogManager;
import org.dspace.core.Utils;
import org.dspace.discovery.DiscoverQuery; import org.dspace.discovery.DiscoverQuery;
import org.dspace.discovery.DiscoverResult; import org.dspace.discovery.DiscoverResult;
import org.dspace.discovery.IndexableObject; import org.dspace.discovery.IndexableObject;
@@ -103,7 +104,8 @@ public class OpenSearchController {
// do some sanity checking // do some sanity checking
if (!openSearchService.getFormats().contains(format)) { if (!openSearchService.getFormats().contains(format)) {
String err = "Format " + format + " is not supported."; // Since we are returning error response as HTML, escape any HTML in "format" param
String err = "Format " + Utils.addEntities(format) + " is not supported.";
response.setContentType("text/html"); response.setContentType("text/html");
response.setContentLength(err.length()); response.setContentLength(err.length());
response.getWriter().write(err); response.getWriter().write(err);