Merge pull request #97 from mendix/fix/xss

Fixed reported XSS vulnerability where url parameters were not encoded in html footer.
mendix · Feb 16, 2018 · 4c960ef · 4c960ef
2 parents ee6f269 + 9f4ec6b
commit 4c960ef
Show file tree

Hide file tree

Showing 6 changed files with 6 additions and 3 deletions.
diff --git a/DIST/RestServices_mx7_5.0.1.mpk b/DIST/RestServices_mx7_5.0.1.mpk
diff --git a/RestServices.mpr b/RestServices.mpr
diff --git a/javasource/restservices/RestServices.java b/javasource/restservices/RestServices.java
@@ -20,7 +20,7 @@ public class RestServices {
 	/**
 	 * Version of the RestServices module
 	 */
-	public static final String VERSION = "5.0.0";
+	public static final String VERSION = "5.0.1";
 
 	/**
 	 * Amount of objects that are processed by the module at the same time.

diff --git a/javasource/restservices/util/Utils.java b/javasource/restservices/util/Utils.java
@@ -27,6 +27,8 @@
 import com.mendix.systemwideinterfaces.core.meta.IMetaPrimitive;
 import com.mendix.systemwideinterfaces.core.meta.IMetaPrimitive.PrimitiveType;
 
+import org.owasp.encoder.Encode;
+
 public class Utils {
 
 	public static String getShortMemberName(String memberName) {
@@ -177,9 +179,10 @@ public static String removeLeadingAndTrailingSlash(String relativeUrl) {
 	public static String nullToEmpty(String statusText) {
 		return statusText == null ? "" : statusText;
 	}
-
+	
 	public static String getRequestUrl(HttpServletRequest request) {
-		return request.getRequestURL().toString() + (Utils.isEmpty(request.getQueryString()) ? "" : "?" + request.getQueryString());
+		String queryString = Encode.forUriComponent(request.getQueryString());
+		return request.getRequestURL().toString() + (Utils.isEmpty(queryString) ? "" : "?" + queryString);
 	}
 
 	public static boolean isSystemAttribute(String key) {

diff --git a/userlib/encoder-1.2.1.jar b/userlib/encoder-1.2.1.jar
diff --git a/userlib/encoder-1.2.1.jar.RestServices.RequiredLib b/userlib/encoder-1.2.1.jar.RestServices.RequiredLib