Commits

Anatoli Kazatchkov committed 7dc41d6

CONTRB-51

Comments (0)

Files changed (2)

src/main/java/com/atlassian/confluence/contributors/macro/ContributorsMacro.java

 					String errorMessage = (String) parameters.get(PARAMETER_ERRORSTRING);
 					
 					if(errorMessage == null){
-						errorMessage = "No contributors found for: " + includeString + " on selected page(s)";
+						return "No contributors found for: " + GeneralUtil.htmlEncode(includeString) + " on selected page(s)";
 					}
-					return errorMessage;
+					return GeneralUtil.htmlEncode(errorMessage);
 					
 				}
 

src/test/java/com/atlassian/confluence/contributors/macro/TestContributorsMacro.java

 import com.atlassian.confluence.security.DefaultPermissionManager;
 import com.atlassian.confluence.security.Permission;
 import com.atlassian.confluence.spaces.Space;
+import com.atlassian.confluence.util.GeneralUtil;
 import com.atlassian.renderer.RenderContext;
 import com.atlassian.renderer.v2.macro.MacroException;
 import com.atlassian.user.User;
         }
     }
 
+    public void testParametersThatAreShownEncodedXSS() throws MacroException {
+        final Map<String, String> macroParameters = new HashMap<String, String>();
+
+        String unencodedScript = "<script>alert('bug')</script>";
+        macroParameters.put("noneFoundMessage", unencodedScript);
+        String renderText = macro.execute(macroParameters, StringUtils.EMPTY, getRenderContext());
+        assertEquals(GeneralUtil.htmlEncode(unencodedScript), renderText);
+        
+        macroParameters.clear();
+        macroParameters.put("include", unencodedScript);
+        renderText = macro.execute(macroParameters, StringUtils.EMPTY, getRenderContext());
+        assertEquals("No contributors found for: " + GeneralUtil.htmlEncode(unencodedScript) + " on selected page(s)", renderText);
+    }
+    
     public void testExecuteGreedy() {
         try {
             final Map macroParameters = getMacroParameters();