diff options
Diffstat (limited to 'server/src')
-rw-r--r-- | server/src/com/vaadin/server/VaadinServlet.java | 6 | ||||
-rw-r--r-- | server/src/com/vaadin/ui/UI.java | 8 |
2 files changed, 9 insertions, 5 deletions
diff --git a/server/src/com/vaadin/server/VaadinServlet.java b/server/src/com/vaadin/server/VaadinServlet.java index 4fd1e97a40..d1242676da 100644 --- a/server/src/com/vaadin/server/VaadinServlet.java +++ b/server/src/com/vaadin/server/VaadinServlet.java @@ -573,8 +573,8 @@ public class VaadinServlet extends HttpServlet implements Constants { /** * A helper method to strip away characters that might somehow be used for - * XSS attacs. Leaves at least alphanumeric characters intact. Also removes - * eg. ( and ), so values should be safe in javascript too. + * XSS attacks. Leaves at least alphanumeric characters intact. Also removes + * e.g. '(' and ')', so values should be safe in javascript too. * * @param themeName * @return @@ -583,7 +583,7 @@ public class VaadinServlet extends HttpServlet implements Constants { * version */ @Deprecated - protected static String stripSpecialChars(String themeName) { + public static String stripSpecialChars(String themeName) { StringBuilder sb = new StringBuilder(); char[] charArray = themeName.toCharArray(); for (int i = 0; i < charArray.length; i++) { diff --git a/server/src/com/vaadin/ui/UI.java b/server/src/com/vaadin/ui/UI.java index 78cb5488e8..44948dfb6f 100644 --- a/server/src/com/vaadin/ui/UI.java +++ b/server/src/com/vaadin/ui/UI.java @@ -633,7 +633,11 @@ public abstract class UI extends AbstractSingleComponentContainer implements this.embedId = embedId; // Actual theme - used for finding CustomLayout templates - getState().theme = request.getParameter("theme"); + String unescapedThemeName = request.getParameter("theme"); + if (unescapedThemeName != null) { + // Set theme escapes the name + setTheme(unescapedThemeName); + } getPage().init(request); @@ -1164,7 +1168,7 @@ public abstract class UI extends AbstractSingleComponentContainer implements * The new theme name */ public void setTheme(String theme) { - getState().theme = theme; + getState().theme = VaadinServlet.stripSpecialChars(theme); } /** |