Merge pull request #2790 from Alfresco/fix/PRODSEC-8922-XSS

[PRODSEC-8922] fix xss vulnerability
2025-07-24 17:32:48 +00:00 · 2024-07-18 13:41:30 +05:30
parent a01d375e6f 51a51ecd6b
commit 7581e07c3c
2 changed files with 7 additions and 1 deletions
--- a/packaging/war/pom.xml
+++ b/packaging/war/pom.xml
@@ -110,6 +110,11 @@
            <artifactId>mysql-connector-java</artifactId>
            <scope>test</scope>
        </dependency>
+        <dependency>
+            <groupId>org.owasp.encoder</groupId>
+            <artifactId>encoder</artifactId>
+            <version>1.2.3</version>
+        </dependency>
    </dependencies>

    <build>
--- a/packaging/war/src/main/webapp/index.jsp
+++ b/packaging/war/src/main/webapp/index.jsp
@@ -34,6 +34,7 @@
 <%@ page import="org.alfresco.service.cmr.module.ModuleDetails" %>
 <%@ page import="org.alfresco.service.cmr.module.ModuleInstallState" %>
 <%@ page import="java.util.Calendar" %>
+<%@ page import="org.owasp.encoder.Encode" %>

 <!-- Enterprise index-jsp placeholder -->
 <%
@@ -88,7 +89,7 @@ ModuleDetails shareServicesModule = moduleService.getModule("alfresco-share-serv
            <p></p>
            <p><a href="./s/index">Alfresco WebScripts Home</a> (admin only - INTERNAL)</p>
            <p></p>
-            <p><a href="<%=UrlUtil.getApiExplorerUrl(sysAdminParams, request.getRequestURL().toString(), request.getRequestURI())%>">Alfresco API Explorer</a></p>
+            <p><a href="<%=Encode.forHtmlAttribute(UrlUtil.getApiExplorerUrl(sysAdminParams, request.getRequestURL().toString(), request.getRequestURI()))%>">Alfresco API Explorer</a></p>
 <%
   if (descriptorService.getLicenseDescriptor() == null && transactionService.isReadOnly())
   {