From 60541654a2124b385c2a155f3d3c9cf3ab4cd2a0 Mon Sep 17 00:00:00 2001
From: hoangnt2 <hoang2.nguyenthai@toshiba.co.jp>
Date: Tue, 26 Nov 2024 15:23:27 +0700
Subject: [PATCH] Fix(User): Fix XSS vulnerability for revoke token endpoint

Signed-off-by: hoangnt2 <hoang2.nguyenthai@toshiba.co.jp>
---
 .../eclipse/sw360/rest/resourceserver/user/UserController.java | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/rest/resource-server/src/main/java/org/eclipse/sw360/rest/resourceserver/user/UserController.java b/rest/resource-server/src/main/java/org/eclipse/sw360/rest/resourceserver/user/UserController.java
index 5ea5261767..6787c7a6cb 100644
--- a/rest/resource-server/src/main/java/org/eclipse/sw360/rest/resourceserver/user/UserController.java
+++ b/rest/resource-server/src/main/java/org/eclipse/sw360/rest/resourceserver/user/UserController.java
@@ -23,7 +23,6 @@
 import lombok.extern.slf4j.Slf4j;
 
 import org.apache.commons.lang.RandomStringUtils;
-import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.thrift.TException;
 import org.eclipse.sw360.datahandler.common.CommonUtils;
 import org.eclipse.sw360.datahandler.common.SW360Constants;
@@ -368,7 +367,7 @@ public ResponseEntity<String> revokeUserRestApiToken(
         User sw360User = restControllerHelper.getSw360UserFromAuthentication();
 
         if (!userService.isTokenNameExisted(sw360User, tokenName)) {
-            return new ResponseEntity<>("Token not found: " + StringEscapeUtils.escapeHtml(tokenName), HttpStatus.NOT_FOUND);
+            return new ResponseEntity<>("Token not found", HttpStatus.NOT_FOUND);
         }
 
         sw360User.getRestApiTokens().removeIf(t -> t.getName().equals(tokenName));