hazza/DSpace
1
0
Fork 0
mirror of https://github.com/DSpace/DSpace.git synced 2025-10-07 18:14:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

DS-2737: Escape message keys which are passed in as url params

Browse Source
This commit is contained in:
Tim Donohue
2015-11-03 15:45:26 +00:00
committed by Pascal-Nicolas Becker
parent 2518e0a762
commit c98019d0f1
1 changed files with 7 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
dspace-jspui/src/main/webapp/search/discovery.jsp
View File

@@ -34,6 +34,7 @@
--%> --%>
<%@page import="org.dspace.core.Utils"%> <%@page import="org.dspace.core.Utils"%>
<%@page import="com.coverity.security.Escape"%>
<%@page import="org.dspace.discovery.configuration.DiscoverySearchFilterFacet"%> <%@page import="org.dspace.discovery.configuration.DiscoverySearchFilterFacet"%>
<%@page import="org.dspace.app.webui.util.UIUtil"%> <%@page import="org.dspace.app.webui.util.UIUtil"%>
<%@page import="java.util.HashMap"%> <%@page import="java.util.HashMap"%>
@@ -215,7 +216,7 @@
<% <%
for (DiscoverySearchFilter searchFilter : availableFilters) for (DiscoverySearchFilter searchFilter : availableFilters)
{ {
String fkey = "jsp.search.filter."+searchFilter.getIndexFieldName(); String fkey = "jsp.search.filter." + Escape.uriParam(searchFilter.getIndexFieldName());
%><option value="<%= Utils.addEntities(searchFilter.getIndexFieldName()) %>"<% %><option value="<%= Utils.addEntities(searchFilter.getIndexFieldName()) %>"<%
if (filter[0].equals(searchFilter.getIndexFieldName())) if (filter[0].equals(searchFilter.getIndexFieldName()))
{ {
@@ -226,7 +227,7 @@
} }
if (!found) if (!found)
{ {
String fkey = "jsp.search.filter."+filter[0]; String fkey = "jsp.search.filter." + Escape.uriParam(filter[0]);
%><option value="<%= Utils.addEntities(filter[0]) %>" selected="selected"><fmt:message key="<%= fkey %>"/></option><% %><option value="<%= Utils.addEntities(filter[0]) %>" selected="selected"><fmt:message key="<%= fkey %>"/></option><%
} }
%> %>
@@ -235,7 +236,7 @@
<% <%
for (String opt : options) for (String opt : options)
{ {
String fkey = "jsp.search.filter.op."+opt; String fkey = "jsp.search.filter.op." + Escape.uriParam(opt);
%><option value="<%= Utils.addEntities(opt) %>"<%= opt.equals(filter[1])?" selected=\"selected\"":"" %>><fmt:message key="<%= fkey %>"/></option><% %><option value="<%= Utils.addEntities(opt) %>"<%= opt.equals(filter[1])?" selected=\"selected\"":"" %>><fmt:message key="<%= fkey %>"/></option><%
} }
%> %>
@@ -276,7 +277,7 @@
<% <%
for (DiscoverySearchFilter searchFilter : availableFilters) for (DiscoverySearchFilter searchFilter : availableFilters)
{ {
String fkey = "jsp.search.filter."+searchFilter.getIndexFieldName(); String fkey = "jsp.search.filter." + Escape.uriParam(searchFilter.getIndexFieldName());
%><option value="<%= Utils.addEntities(searchFilter.getIndexFieldName()) %>"><fmt:message key="<%= fkey %>"/></option><% %><option value="<%= Utils.addEntities(searchFilter.getIndexFieldName()) %>"><fmt:message key="<%= fkey %>"/></option><%
} }
%> %>
@@ -285,7 +286,7 @@
<% <%
for (String opt : options) for (String opt : options)
{ {
String fkey = "jsp.search.filter.op."+opt; String fkey = "jsp.search.filter.op." + Escape.uriParam(opt);
%><option value="<%= Utils.addEntities(opt) %>"><fmt:message key="<%= fkey %>"/></option><% %><option value="<%= Utils.addEntities(opt) %>"><fmt:message key="<%= fkey %>"/></option><%
} }
%> %>
@@ -340,7 +341,7 @@
for (String sortBy : sortOptions) for (String sortBy : sortOptions)
{ {
String selected = (sortBy.equals(sortedBy) ? "selected=\"selected\"" : ""); String selected = (sortBy.equals(sortedBy) ? "selected=\"selected\"" : "");
String mKey = "search.sort-by." + sortBy; String mKey = "search.sort-by." + Utils.addEntities(sortBy);
%> <option value="<%= Utils.addEntities(sortBy) %>" <%= selected %>><fmt:message key="<%= mKey %>"/></option><% %> <option value="<%= Utils.addEntities(sortBy) %>" <%= selected %>><fmt:message key="<%= mKey %>"/></option><%
} }
%> %>