litvinovg/vitro
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

VIVO-861 Guard against Cross-Site Scripting attacks in the page title and in the body classes.

Browse source
This commit is contained in:
Jim Blake 2014-09-16 13:19:23 -04:00
parent 2b9a3a5a01
commit fc227d9fcd
2 changed files with 4 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
webapp/web/templates/freemarker/page/partials/pageSetup.ftl
View file

@ -6,8 +6,10 @@ the domain of the controllers. -->
<#assign bodyClasses>
<#-- The compress directives and formatting here resolve whitespace issues in output; please do not alter them. -->
<#-- Add the ?html builtin to currentServlet to guard against hacks.
Otherwise, the servletPath portion of the URL is rendered verbatim into the HTML -->
<#compress>
<#assign bodyClassList = [currentServlet!]>
<#assign bodyClassList = [(currentServlet?html)!]>
<#if user.loggedIn>
<#assign bodyClassList = bodyClassList + ["loggedIn"]/>