fix cross-site scripting vulnerability

zkoss · Aug 23, 2024 · 1aa5d8f · 1aa5d8f
1 parent 846b22d
commit 1aa5d8f
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/zk/src/main/java/org/zkoss/zk/ui/http/WpdExtendlet.java b/zk/src/main/java/org/zkoss/zk/ui/http/WpdExtendlet.java
@@ -159,7 +159,7 @@ protected byte[] retrieve(HttpServletRequest request, HttpServletResponse respon
 			boolean pkgStart = path.endsWith("0.wpd");
 			boolean pkgEnd = path.endsWith("$.wpd");
 			int lastPartIndex = path.lastIndexOf("/") + 1;
-			String lastPart = path.substring(lastPartIndex);
+			String lastPart = Encode.forJavaScript(path.substring(lastPartIndex));
 			String pkgName = lastPart.replaceAll("[\\d]{1,2}\\.wpd", "");
 			if (pkgStart || pkgEnd) {
 				if (pkgStart) {
@@ -780,7 +780,7 @@ private static String outMain(String main, Map<String, String[]> params) {
 			}
 		}
 
-		sb.append(JSONObject.toJSONString(ms)).append(")\n})");
+		sb.append(Encode.forJavaScript(JSONObject.toJSONString(ms))).append(")\n})");
 		return sb.toString();
 	}
 
@@ -1063,7 +1063,7 @@ private byte[] processDynamicWpdWithSourceMapIfAny(HttpServletRequest request, H
 			} catch (javax.servlet.ServletException ex) {
 				throw new UiException(ex);
 			}
-			sb.append(scriptVariableName).append(".src='").append(url).append("';");
+			sb.append(scriptVariableName).append(".src='").append(Encode.forJavaScript(url)).append("';");
 			sb.append("\ndocument.getElementsByTagName('head')[0].appendChild(").append(scriptVariableName).append(");");
 			lastWpd = dividedPath.substring(dividedPath.lastIndexOf("/") + 1);
 		}