Add some more HTML escaping to prevent XSS

unclebob · Oct 2, 2021 · cc7e58a · cc7e58a
1 parent 21d6901
commit cc7e58a
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 9 deletions.
diff --git a/src/fitnesse/resources/bootstrap/templates/breadcrumb.vm b/src/fitnesse/resources/bootstrap/templates/breadcrumb.vm
@@ -5,7 +5,7 @@
 
 <ol class="breadcrumb">
 #foreach($breadCrumb in $pageTitle.BreadCrumbs)
- <li><a href="${contextRoot}$breadCrumb.Link">$breadCrumb.Name</a></li>
+ <li><a href="${contextRoot}#escape($breadCrumb.Link)">#escape($breadCrumb.Name)</a></li>
 #end
- <li>#if($pageTitle.Link)<a href="${contextRoot}$pageTitle.Link">$pageTitle.Title</a>#else$pageTitle.Title#end#if($pageTitle.pageTags) #foreach($tag in $!pageTitle.pageTagsArray)<span class="tag">$tag</span>#end#end</li>
+ <li>#if($pageTitle.Link)<a href="${contextRoot}#escape($pageTitle.Link)">#escape($pageTitle.Title)</a>#else#escape($pageTitle.Title)#end#if($pageTitle.pageTags) #foreach($tag in $!pageTitle.pageTagsArray)<span class="tag">#escape($tag)</span>#end#end</li>
 </ol>
diff --git a/src/fitnesse/resources/templates/directoryPage.vm b/src/fitnesse/resources/templates/directoryPage.vm
@@ -1,7 +1,7 @@
 #macro( prettyPrint $s )
  #if( $s.length() > 60 )
   #set ( $t = $s.length() - 40 )
-  $s.substring(0, 15)...$s.substring($t)#else${s}#end
+  #escape($s.substring(0, 15))...#escape($s.substring($t))#else#escape(${s})#end
 #end
 <table class="dirListing">
  <thead>
@@ -16,14 +16,14 @@
  #foreach( $fileInfo in $fileInfoList )
   <tr >
    <td>
-	<a href="$fileInfo.name#if( $fileInfo.directory )/#end">
+	<a href="#escape($fileInfo.name)#if( $fileInfo.directory )/#end">
 	 #if( $fileInfo.directory )<img src="${contextRoot}files/fitnesse/images/folder.gif" alt="folder"/>#end #prettyPrint( $fileInfo.name )#if( $fileInfo.directory )/#end
 	</a>
    </td>
    <td>$fileInfo.size</td>
    <td>$fileInfo.date</td>
    <td class="buttons">
-    <a href="?responder=renameConfirmation&filename=$fileInfo.name">Rename</a>&nbsp;|&nbsp;<a href="?responder=deleteConfirmation&filename=$fileInfo.name">Delete</a>
+    <a href="?responder=renameConfirmation&filename=#escape($fileInfo.name)">Rename</a>&nbsp;|&nbsp;<a href="?responder=deleteConfirmation&filename=#escape($fileInfo.name)">Delete</a>
    </td>
   </tr>
  #end
@@ -50,4 +50,4 @@
  <fieldset class="buttons">
   <input type="submit" name="" value="Create"/>
  </fieldset>
-</form>
+</form>
diff --git a/src/fitnesse/resources/templates/renameFileConfirmation.vm b/src/fitnesse/resources/templates/renameFileConfirmation.vm
@@ -1,12 +1,12 @@
  <form method="post" action="?">
   <input type="hidden" name="responder" value="renameFile"/>
-  <input type="hidden" name="filename" value="$filename"/>
+  <input type="hidden" name="filename" value="#escape($filename)"/>
   <fieldset  class="buttons">
-    <p>Rename <b>$filename</b>.</p>
+    <p>Rename <b>#escape($filename)</b>.</p>
   </fieldset>
   <fieldset>
     <label for="rename-file">Rename to:</label>
-    <input id="rename-file" type="text" name="newName" value="$filename"/>
+    <input id="rename-file" type="text" name="newName" value="#escape($filename)"/>
   </fieldset>
   <fieldset  class="buttons">
       <input type="submit" name="renameFile" value="Rename"/>