[opencms-dev] Escape cms.requestContext.uri in jsp-search formatter
Диканский Андрей Юрьевич
adikanskii at ncfu.ru
Thu Jul 7 19:01:26 CEST 2022
Hello, All
Is it neccessary to escape cms.requestContext.uri when render pagination here to avoid XSS (Cross Site Scripting)?
line # 258 in https://github.com/alkacon/opencms-core/blob/branch_10_5_x/modules/org.opencms.jsp.search/resources/system/modules/org.opencms.jsp.search/formatters/jsp-search-formatter.jsp
<a href="<cms:link>${cms.requestContext.uri}?${search.stateParameters.setPage['1']}</cms:link>"
aria-label='<fmt:message key="pagination.first.title"/>'>
Andrew.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opencms.org/pipermail/opencms-dev/attachments/20220707/9f556c48/attachment.htm>
More information about the opencms-dev
mailing list