Merge pull request #98 from mendix/backport/fix/xss

Fix for XSS vunerability in rest page footer
mendix · Feb 19, 2018 · 5b27ead · 5b27ead
2 parents 67ae53f + d5baf63
commit 5b27ead
Show file tree

Hide file tree

Showing 6 changed files with 5 additions and 2 deletions.
diff --git a/DIST/RestServices_mx7_4.2.3.mpk b/DIST/RestServices_mx7_4.2.3.mpk
diff --git a/RestServices.mpr b/RestServices.mpr
diff --git a/javasource/restservices/RestServices.java b/javasource/restservices/RestServices.java
@@ -20,7 +20,7 @@ public class RestServices {
 	/**
 	 * Version of the RestServices module
 	 */
-	public static final String VERSION = "4.2.2";
+	public static final String VERSION = "4.2.3";
 
 	/**
 	 * Amount of objects that are processed by the module at the same time.

diff --git a/javasource/restservices/util/Utils.java b/javasource/restservices/util/Utils.java
@@ -27,6 +27,8 @@
 import com.mendix.systemwideinterfaces.core.meta.IMetaPrimitive;
 import com.mendix.systemwideinterfaces.core.meta.IMetaPrimitive.PrimitiveType;
 
+import org.owasp.encoder.Encode;
+
 public class Utils {
 
 	public static String getShortMemberName(String memberName) {
@@ -179,7 +181,8 @@ public static String nullToEmpty(String statusText) {
 	}
 
 	public static String getRequestUrl(HttpServletRequest request) {
-		return request.getRequestURL().toString() + (Utils.isEmpty(request.getQueryString()) ? "" : "?" + request.getQueryString());
+		String queryString = Encode.forUriComponent(request.getQueryString());
+		return request.getRequestURL().toString() + (Utils.isEmpty(queryString) ? "" : "?" + queryString);
 	}
 
 	public static boolean isSystemAttribute(String key) {

diff --git a/userlib/encoder-1.2.1.jar b/userlib/encoder-1.2.1.jar
diff --git a/userlib/encoder-1.2.1.jar.RestServices.RequiredLib b/userlib/encoder-1.2.1.jar.RestServices.RequiredLib