From: Jouni Koivuviita <jouni.koivuviita@itmill.com>
Date: Thu, 24 Jul 2008 07:57:56 +0000 (+0000)
Subject: Fixed a possible security vulnerability in IWindow. The window caption string was... 
X-Git-Tag: 6.7.0.beta1~4414
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=5a21271a367a85507d399e15ce66861efb320b11;p=vaadin-framework.git

Fixed a possible security vulnerability in IWindow. The window caption string was not escaped, and any HTML could be passed and parsed inside it.

svn changeset:5115/svn branch:trunk
---

diff --git a/src/com/itmill/toolkit/terminal/gwt/client/ui/IWindow.java b/src/com/itmill/toolkit/terminal/gwt/client/ui/IWindow.java
index 10bfd939be..76c7a9ea81 100644
--- a/src/com/itmill/toolkit/terminal/gwt/client/ui/IWindow.java
+++ b/src/com/itmill/toolkit/terminal/gwt/client/ui/IWindow.java
@@ -491,7 +491,7 @@ public class IWindow extends PopupPanel implements Paintable, ScrollListener {
     }
 
     public void setCaption(String c, String icon) {
-        String html = c;
+        String html = Util.escapeHTML(c);
         if (icon != null) {
             icon = client.translateToolkitUri(icon);
             html = "<img src=\"" + icon + "\" class=\"i-icon\" />" + html;