summaryrefslogtreecommitdiffstats
path: root/server/src
diff options
context:
space:
mode:
Diffstat (limited to 'server/src')
-rw-r--r--server/src/com/vaadin/server/VaadinServlet.java6
-rw-r--r--server/src/com/vaadin/ui/UI.java8
2 files changed, 9 insertions, 5 deletions
diff --git a/server/src/com/vaadin/server/VaadinServlet.java b/server/src/com/vaadin/server/VaadinServlet.java
index 4fd1e97a40..d1242676da 100644
--- a/server/src/com/vaadin/server/VaadinServlet.java
+++ b/server/src/com/vaadin/server/VaadinServlet.java
@@ -573,8 +573,8 @@ public class VaadinServlet extends HttpServlet implements Constants {
/**
* A helper method to strip away characters that might somehow be used for
- * XSS attacs. Leaves at least alphanumeric characters intact. Also removes
- * eg. ( and ), so values should be safe in javascript too.
+ * XSS attacks. Leaves at least alphanumeric characters intact. Also removes
+ * e.g. '(' and ')', so values should be safe in javascript too.
*
* @param themeName
* @return
@@ -583,7 +583,7 @@ public class VaadinServlet extends HttpServlet implements Constants {
* version
*/
@Deprecated
- protected static String stripSpecialChars(String themeName) {
+ public static String stripSpecialChars(String themeName) {
StringBuilder sb = new StringBuilder();
char[] charArray = themeName.toCharArray();
for (int i = 0; i < charArray.length; i++) {
diff --git a/server/src/com/vaadin/ui/UI.java b/server/src/com/vaadin/ui/UI.java
index 78cb5488e8..44948dfb6f 100644
--- a/server/src/com/vaadin/ui/UI.java
+++ b/server/src/com/vaadin/ui/UI.java
@@ -633,7 +633,11 @@ public abstract class UI extends AbstractSingleComponentContainer implements
this.embedId = embedId;
// Actual theme - used for finding CustomLayout templates
- getState().theme = request.getParameter("theme");
+ String unescapedThemeName = request.getParameter("theme");
+ if (unescapedThemeName != null) {
+ // Set theme escapes the name
+ setTheme(unescapedThemeName);
+ }
getPage().init(request);
@@ -1164,7 +1168,7 @@ public abstract class UI extends AbstractSingleComponentContainer implements
* The new theme name
*/
public void setTheme(String theme) {
- getState().theme = theme;
+ getState().theme = VaadinServlet.stripSpecialChars(theme);
}
/**