From 1aa5d8f9d4dc47e8f6cd674b9487b3f92307246f Mon Sep 17 00:00:00 2001 From: Jumper Chen Date: Fri, 23 Aug 2024 17:42:38 +0800 Subject: [PATCH] fix cross-site scripting vulnerability --- zk/src/main/java/org/zkoss/zk/ui/http/WpdExtendlet.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/zk/src/main/java/org/zkoss/zk/ui/http/WpdExtendlet.java b/zk/src/main/java/org/zkoss/zk/ui/http/WpdExtendlet.java index 3b854cf955..7aecdd31d5 100644 --- a/zk/src/main/java/org/zkoss/zk/ui/http/WpdExtendlet.java +++ b/zk/src/main/java/org/zkoss/zk/ui/http/WpdExtendlet.java @@ -159,7 +159,7 @@ protected byte[] retrieve(HttpServletRequest request, HttpServletResponse respon boolean pkgStart = path.endsWith("0.wpd"); boolean pkgEnd = path.endsWith("$.wpd"); int lastPartIndex = path.lastIndexOf("/") + 1; - String lastPart = path.substring(lastPartIndex); + String lastPart = Encode.forJavaScript(path.substring(lastPartIndex)); String pkgName = lastPart.replaceAll("[\\d]{1,2}\\.wpd", ""); if (pkgStart || pkgEnd) { if (pkgStart) { @@ -780,7 +780,7 @@ private static String outMain(String main, Map params) { } } - sb.append(JSONObject.toJSONString(ms)).append(")\n})"); + sb.append(Encode.forJavaScript(JSONObject.toJSONString(ms))).append(")\n})"); return sb.toString(); } @@ -1063,7 +1063,7 @@ private byte[] processDynamicWpdWithSourceMapIfAny(HttpServletRequest request, H } catch (javax.servlet.ServletException ex) { throw new UiException(ex); } - sb.append(scriptVariableName).append(".src='").append(url).append("';"); + sb.append(scriptVariableName).append(".src='").append(Encode.forJavaScript(url)).append("';"); sb.append("\ndocument.getElementsByTagName('head')[0].appendChild(").append(scriptVariableName).append(");"); lastWpd = dividedPath.substring(dividedPath.lastIndexOf("/") + 1); }