From fc227d9fcd6b1944b52f703133672e13a864d24c Mon Sep 17 00:00:00 2001
From: Jim Blake <jeb228@cornell.edu>
Date: Tue, 16 Sep 2014 13:19:23 -0400
Subject: [PATCH] VIVO-861 Guard against Cross-Site Scripting attacks in the
 page title and in the body classes.

---
 webapp/themes/vitro/templates/head.ftl                      | 2 +-
 webapp/web/templates/freemarker/page/partials/pageSetup.ftl | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/webapp/themes/vitro/templates/head.ftl b/webapp/themes/vitro/templates/head.ftl
index 94a035cb4..6bd70bf0c 100644
--- a/webapp/themes/vitro/templates/head.ftl
+++ b/webapp/themes/vitro/templates/head.ftl
@@ -4,7 +4,7 @@
 <!-- Google Chrome Frame open source plug-in brings Google Chrome's open web technologies and speedy JavaScript engine to Internet Explorer-->
 <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
 
-<title>${siteName!}</title>
+<title>${(title?html)!siteName!}</title>
 
 <#include "stylesheets.ftl">
 <link rel="stylesheet" href="${urls.theme}/css/screen.css" />
diff --git a/webapp/web/templates/freemarker/page/partials/pageSetup.ftl b/webapp/web/templates/freemarker/page/partials/pageSetup.ftl
index 48c4c46b3..be51b0745 100644
--- a/webapp/web/templates/freemarker/page/partials/pageSetup.ftl
+++ b/webapp/web/templates/freemarker/page/partials/pageSetup.ftl
@@ -6,8 +6,10 @@ the domain of the controllers. -->
 
 <#assign bodyClasses>
     <#-- The compress directives and formatting here resolve whitespace issues in output; please do not alter them. -->
+    <#-- Add the ?html builtin to currentServlet to guard against hacks. 
+         Otherwise, the servletPath portion of the URL is rendered verbatim into the HTML -->
     <#compress>
-    <#assign bodyClassList = [currentServlet!]>
+    <#assign bodyClassList = [(currentServlet?html)!]>
     
     <#if user.loggedIn> 
         <#assign bodyClassList = bodyClassList + ["loggedIn"]/>