Skip to content

Commit

Permalink
XWIKI-19612: XSS in the attachment history
Browse files Browse the repository at this point in the history
  • Loading branch information
tmortagne committed Apr 14, 2022
1 parent 5c86eb7 commit 047ce9f
Showing 1 changed file with 2 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
#template("startpage.vm")
<div class="main layoutsubsection">
<div id="mainContentArea">
<h3>$services.localization.render("core.viewers.attachments.revisions", [$attachment.filename])</h3>
<h3>$services.localization.render("core.viewers.attachments.revisions", [$escapetool.xml($attachment.filename)])</h3>
#if ("$tdoc.realLocale" != '')
#set($lang = "&language=${tdoc.realLocale}")
#else
Expand All @@ -40,7 +40,7 @@
#set($url = $doc.getAttachmentRevisionURL("${attachment.filename}", ${version.toString()}))
#end
#if ($attachment.isImage())
<td><img src="${url}" alt="${attachment.filename}" width="80" />
<td><img src="${url}" alt="${escapetool.xml($attachment.filename)}" width="80" />
#else
<td class="mime">#mimetypeimg($attachment.getMimeType().toLowerCase() $attachment.getFilename().toLowerCase())
#end
Expand Down

0 comments on commit 047ce9f

Please # to comment.