[opencms-dev] Escape cms.requestContext.uri in jsp-search formatter

Диканский Андрей Юрьевич adikanskii at ncfu.ru
Thu Jul 7 19:01:26 CEST 2022


Hello, All


Is it neccessary to escape cms.requestContext.uri when render pagination here to avoid XSS (Cross Site Scripting)?

line # 258 in https://github.com/alkacon/opencms-core/blob/branch_10_5_x/modules/org.opencms.jsp.search/resources/system/modules/org.opencms.jsp.search/formatters/jsp-search-formatter.jsp

<a href="<cms:link>${cms.requestContext.uri}?${search.stateParameters.setPage['1']}</cms:link>"
        aria-label='<fmt:message key="pagination.first.title"/>'>


Andrew.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opencms.org/pipermail/opencms-dev/attachments/20220707/9f556c48/attachment.htm>


More information about the opencms-dev mailing list