summaryrefslogtreecommitdiffstats
path: root/documentation/datamodel/datamodel-forms.asciidoc
diff options
context:
space:
mode:
Diffstat (limited to 'documentation/datamodel/datamodel-forms.asciidoc')
-rw-r--r--documentation/datamodel/datamodel-forms.asciidoc8
1 files changed, 7 insertions, 1 deletions
diff --git a/documentation/datamodel/datamodel-forms.asciidoc b/documentation/datamodel/datamodel-forms.asciidoc
index 0a040230c6..f34bae1aa2 100644
--- a/documentation/datamodel/datamodel-forms.asciidoc
+++ b/documentation/datamodel/datamodel-forms.asciidoc
@@ -572,10 +572,16 @@ BinderValidationStatusHandler defaultHandler = binder.getValidationStatusHandler
binder.setValidationStatusHandler(status -> {
// create an error message on failed bean level validations
List<Result<?>> errors = status.getBeanValidationErrors();
+
// collect all bean level error messages into a single string,
// separating each message with a <br> tag
String errorMessage = errors.stream().map(Result::getMessage)
- .map(o -> o.get()).collect(Collectors.joining("<br>"));
+ .map(o -> o.get())
+ // sanitize the individual error strings to avoid code injection
+ // since we are displaying the resulting string as HTML
+ .map(errorString -> Jsoup.clean(errorString, Whitelist.simpleText()))
+ .collect(Collectors.joining("<br>"));
+
// finally, display all bean level validation errors in a single label
formStatusLabel.setValue(errorMessage);
formStatusLabel.setVisible(!errorMessage.isEmpty());
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-29 13:15:23 +0000