#845 Add html escape for template information

support-project · Sep 9, 2017 · 152e478 · 152e478
1 parent 4e40939
commit 152e478
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/src/main/webapp/WEB-INF/views/protect/knowledge/partials/partials-edit-meta.jsp b/src/main/webapp/WEB-INF/views/protect/knowledge/partials/partials-edit-meta.jsp
@@ -1,3 +1,4 @@
+<%@page import="org.support.project.common.util.HtmlUtils"%>
 <%@page pageEncoding="UTF-8" isELIgnored="false" session="false" errorPage="/WEB-INF/views/commons/errors/jsp_error.jsp"%>
 <%@page import="java.io.PrintWriter"%>
 <%@page import="org.support.project.common.util.StringUtils"%>
@@ -40,11 +41,11 @@
                         }
                         builder.append(" />");
                         if (!StringUtils.isEmpty(template.getTypeIcon())) {
-                            builder.append("<i class=\"fa ").append(template.getTypeIcon()).append("\" ></i>&nbsp;");
+                            builder.append("<i class=\"fa ").append(HtmlUtils.escapeHTML(template.getTypeIcon())).append("\" ></i>&nbsp;");
                         } else {
                             builder.append("<i class=\"fa fa-edit\"></i>&nbsp;");
                         }
-                        builder.append(template.getTypeName());
+                        builder.append(HtmlUtils.escapeHTML(template.getTypeName()));
                         %>
                         <%= builder.toString() %>
                     </label>