Merge pull request #870 from nimsara66/5.3.x-10121

nimsara66 · web-flow · commit 297bc7be1c3e · 2025-06-25T15:41:25.000+05:30
Escape user given xml input field to prevent xss
diff --git a/components/event-publisher/org.wso2.carbon.event.publisher.ui/src/main/resources/web/eventpublisher/eventPublisher_details.jsp b/components/event-publisher/org.wso2.carbon.event.publisher.ui/src/main/resources/web/eventpublisher/eventPublisher_details.jsp
@@ -13,6 +13,7 @@
   ~ See the License for the specific language governing permissions and
   ~ limitations under the License.
   --%>
+<%@ page import="org.apache.taglibs.standard.functions.Functions" %>
 <%@ page
         import="org.wso2.carbon.event.publisher.stub.EventPublisherAdminServiceStub" %>
 
@@ -363,7 +364,7 @@
                    name="<%=eventPublisherPropertyDto[index].getKey()%>"
                    id="<%=propertyId%><%=index%>" class="initE"
                    style="width:75%"
-                   value="<%= eventPublisherPropertyDto[index].getValue() != null ? eventPublisherPropertyDto[index].getValue() : "" %>" disabled="disabled"/>
+                   value="<%= eventPublisherPropertyDto[index].getValue() != null ? Functions.escapeXml(eventPublisherPropertyDto[index].getValue()) : "" %>" disabled="disabled"/>
 
             <% } %>
 
@@ -443,7 +444,7 @@
                    name="<%=eventPublisherPropertyDto[index].getKey()%>"
                    id="<%=propertyId%><%=index%>" class="initE"
                    style="width:75%"
-                   value="<%= eventPublisherPropertyDto[index].getValue() != null ? eventPublisherPropertyDto[index].getValue() : "" %>" disabled="disabled"/>
+                   value="<%= eventPublisherPropertyDto[index].getValue() != null ? Functions.escapeXml(eventPublisherPropertyDto[index].getValue()) : "" %>" disabled="disabled"/>
 
             <% } %>
 
diff --git a/components/event-receiver/org.wso2.carbon.event.receiver.ui/src/main/resources/web/eventreceiver/eventReceiver_details.jsp b/components/event-receiver/org.wso2.carbon.event.receiver.ui/src/main/resources/web/eventreceiver/eventReceiver_details.jsp
@@ -13,6 +13,7 @@
   ~ See the License for the specific language governing permissions and
   ~ limitations under the License.
   --%>
+<%@ page import="org.apache.taglibs.standard.functions.Functions" %>
 <%@ page
         import="org.wso2.carbon.event.receiver.stub.EventReceiverAdminServiceStub" %>
 
@@ -324,7 +325,7 @@
                    name="<%=eventReceiverPropertyDto[index].getKey()%>"
                    id="<%=propertyId%><%=index%>" class="initE"
                    style="width:75%"
-                   value="<%= eventReceiverPropertyDto[index].getValue() != null ? eventReceiverPropertyDto[index].getValue() : "" %>" disabled="disabled"/>
+                   value="<%= eventReceiverPropertyDto[index].getValue() != null ? Functions.escapeXml(eventReceiverPropertyDto[index].getValue()) : "" %>" disabled="disabled"/>
 
             <% } %>
 
