From f4deaea7ad8ff966f4c4aa80e78a008965946203 Mon Sep 17 00:00:00 2001 From: Will Abson Date: Wed, 25 Jun 2014 15:34:39 +0000 Subject: [PATCH] Merged HEAD-BUG-FIX (5.0/Cloud) to HEAD (4.3/Cloud) 71772: Merged V4.2-BUG-FIX (4.2.3) to HEAD-BUG-FIX (4.3/Cloud) 71677: Merged V4.1-BUG-FIX (4.1.9) to V4.2-BUG-FIX (4.2.3) 71430: Merged DEV to V4.1-BUG-FIX (4.1.9) 70396: MNT-11360: XSS: vulnerabilities found in Alfresco Explorer - Additional encoding was added. git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@74721 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../java/org/alfresco/web/bean/ajax/PickerBean.java | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/source/java/org/alfresco/web/bean/ajax/PickerBean.java b/source/java/org/alfresco/web/bean/ajax/PickerBean.java index 6d3666366d..bc7f8871b6 100644 --- a/source/java/org/alfresco/web/bean/ajax/PickerBean.java +++ b/source/java/org/alfresco/web/bean/ajax/PickerBean.java @@ -191,7 +191,7 @@ public class PickerBean implements Serializable Collection childRefs; NodeRef parentRef = null; Map params = fc.getExternalContext().getRequestParameterMap(); - String strParentRef = (String)params.get(PARAM_PARENT); + String strParentRef = Utils.encode((String)params.get(PARAM_PARENT)); if (strParentRef == null || strParentRef.length() == 0) { childRefs = this.getCategoryService().getRootCategories( @@ -273,7 +273,7 @@ public class PickerBean implements Serializable Collection childRefs; NodeRef parentRef = null; Map params = fc.getExternalContext().getRequestParameterMap(); - String strParentRef = (String)params.get(ID_PARENT); + String strParentRef = Utils.encode((String)params.get(ID_PARENT)); if (strParentRef == null || strParentRef.length() == 0) { childRefs = this.getCategoryService().getRootCategories( @@ -347,7 +347,7 @@ public class PickerBean implements Serializable NodeRef parentRef = null; Map params = fc.getExternalContext().getRequestParameterMap(); - String strChildRef = (String)params.get(PARAM_CHILD); + String strChildRef = Utils.encode((String)params.get(PARAM_CHILD)); if (strChildRef != null && strChildRef.length() != 0) { // TODO: check permission on the parent @@ -357,7 +357,7 @@ public class PickerBean implements Serializable else { // TODO: check permission on the parent - String strParentRef = (String)params.get(PARAM_PARENT); + String strParentRef = Utils.encode((String)params.get(PARAM_PARENT)); if (strParentRef == null || strParentRef.length() == 0) { parentRef = companyHomeRef; @@ -445,7 +445,7 @@ public class PickerBean implements Serializable NodeRef parentRef = null; Map params = fc.getExternalContext().getRequestParameterMap(); - String strChildRef = (String)params.get(PARAM_CHILD); + String strChildRef = Utils.encode((String)params.get(PARAM_CHILD)); if (strChildRef != null && strChildRef.length() != 0) { // TODO: check permission on the parent @@ -455,7 +455,7 @@ public class PickerBean implements Serializable else { // TODO: check permission on the parent - String strParentRef = (String)params.get(PARAM_PARENT); + String strParentRef = Utils.encode((String)params.get(PARAM_PARENT)); if (strParentRef == null || strParentRef.length() == 0) { parentRef = companyHomeRef;