litvinovg/vitro
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

VIVO-861 Guard against Cross-Site Scripting attacks in the page title and in the body classes.

Browse source
This commit is contained in:
Jim Blake 2014-09-16 13:19:23 -04:00
parent 2b9a3a5a01
commit fc227d9fcd
2 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
webapp/themes/vitro/templates/head.ftl
View file

@ -4,7 +4,7 @@
<!-- Google Chrome Frame open source plug-in brings Google Chrome's open web technologies and speedy JavaScript engine to Internet Explorer--> <!-- Google Chrome Frame open source plug-in brings Google Chrome's open web technologies and speedy JavaScript engine to Internet Explorer-->
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title>${siteName!}</title> <title>${(title?html)!siteName!}</title>
<#include "stylesheets.ftl"> <#include "stylesheets.ftl">
<link rel="stylesheet" href="${urls.theme}/css/screen.css" /> <link rel="stylesheet" href="${urls.theme}/css/screen.css" />

4
webapp/web/templates/freemarker/page/partials/pageSetup.ftl
View file

@ -6,8 +6,10 @@ the domain of the controllers. -->
<#assign bodyClasses> <#assign bodyClasses>
<#-- The compress directives and formatting here resolve whitespace issues in output; please do not alter them. --> <#-- The compress directives and formatting here resolve whitespace issues in output; please do not alter them. -->
<#-- Add the ?html builtin to currentServlet to guard against hacks.
Otherwise, the servletPath portion of the URL is rendered verbatim into the HTML -->
<#compress> <#compress>
<#assign bodyClassList = [currentServlet!]> <#assign bodyClassList = [(currentServlet?html)!]>
<#if user.loggedIn> <#if user.loggedIn>
<#assign bodyClassList = bodyClassList + ["loggedIn"]/> <#assign bodyClassList = bodyClassList + ["loggedIn"]/>