Fix yet an other XSS

5 years ago · af4165310f
parent 10e90beb30
commit af4165310f
1 changed files with 2 additions and 2 deletions
--- a/airsonic-main/src/main/webapp/WEB-INF/jsp/allmusic.jsp
+++ b/airsonic-main/src/main/webapp/WEB-INF/jsp/allmusic.jsp
@ -5,10 +5,10 @@
 </head>

 <body onload="document.allmusic.submit();" class="mainframe bgcolor1">
-<h2><fmt:message key="allmusic.text"><fmt:param value="${album}"/></fmt:message></h2>
+<h2><fmt:message key="allmusic.text"><fmt:param value="${fn:escapeXml(album)}"/></fmt:message></h2>

 <form name="allmusic" action="https://www.allmusic.com/search" method="POST" accept-charset="iso-8859-1">
-    <input type="hidden" name="search_term" value="${album}"/>
+    <input type="hidden" name="search_term" value="${fn:escapeXml(album)}"/>
    <input type="hidden" name="search_type" value="album"/>
 </form>