XWIKI-20341: Sanitize template URLs

xwiki · Feb 2, 2023 · e80d22d · e80d22d
1 parent 540c01c
commit e80d22d
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/...lamingo-skin/xwiki-platform-flamingo-skin-resources/src/main/resources/flamingo/delete.vm b/...lamingo-skin/xwiki-platform-flamingo-skin-resources/src/main/resources/flamingo/delete.vm
@@ -333,11 +333,11 @@
       </div>
       <input type="submit" class="btn btn-primary" value="$services.localization.render('yes')"/>
       #if("$!{request.xredirect}" != '')
-        #set($cancelUrl = "$request.xredirect")
+        #getSanitizedURLAttributeValue('a','href',$request.xredirect,$doc.getURL(),$cancelUrl)
       #else
-        #set($cancelUrl = $doc.getURL())
+        #set($cancelUrl = $escapetool.xml($doc.getURL()))
       #end
-      <a class="btn btn-default" href="$!{escapetool.xml(${cancelUrl})}">$services.localization.render('no')</a>
+      <a class="btn btn-default" href="$cancelUrl">$services.localization.render('no')</a>
     </form>
   #xwikimessageboxend()
 #end