From ff05d69b6999c990fd7cc32c3a2dd6222b73a224 Mon Sep 17 00:00:00 2001
From: hjkhjk54 <hjkhjk54@440791e1-c2bf-4c1e-ad7c-caf3f8b0ebe8>
Date: Wed, 14 Sep 2011 19:20:21 +0000
Subject: [PATCH] Update to escape html search input

---
 .../webapp/search/controller/PagedSearchController.java      | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/search/controller/PagedSearchController.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/search/controller/PagedSearchController.java
index 079533926..16591bc71 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/search/controller/PagedSearchController.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/search/controller/PagedSearchController.java
@@ -18,6 +18,7 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -148,7 +149,9 @@ public class PagedSearchController extends FreemarkerHttpServlet {
             int startIndex = getStartIndex(vreq);            
             int hitsPerPage = getHitsPerPage( vreq );           
 
-            String qtxt = vreq.getParameter(VitroQuery.QUERY_PARAMETER_NAME);            
+            String qtxt = vreq.getParameter(VitroQuery.QUERY_PARAMETER_NAME);  
+            //Clean text to prevent cross-scripting errors
+            qtxt = StringEscapeUtils.escapeHtml(qtxt);
             log.debug("Query text is \""+ qtxt + "\""); 
 
             String badQueryMsg = badQueryText( qtxt );