escape tags

unclebob · Oct 23, 2024 · f9b2912 · f9b2912
1 parent 8558af4
commit f9b2912
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 5 deletions.
diff --git a/src/fitnesse/resources/templates/searchResults.vm b/src/fitnesse/resources/templates/searchResults.vm
@@ -35,7 +35,7 @@
    </td>
    <td style="text-align: right;">
    #set ( $tags = $result.getData().getAttribute("Suites") )
-	<label>#if ($tags && !$tags.equals("null"))$tags#end</label>
+	<label>#if ($tags && !$tags.equals("null"))#escape($tags)#end</label>
    </td>
    <td>$result.getData().getProperties().getLastModificationTime()
    </td>
@@ -65,4 +65,4 @@
 <script language="javascript">document.getElementById("feedback").innerHTML = 'Found $hits result for your search.'</script>
 #else
 <script language="javascript">document.getElementById("feedback").innerHTML = 'No pages matched your search criteria.'</script>
-#end
+#end
diff --git a/test/fitnesse/responders/search/SearchResponderTest.java b/test/fitnesse/responders/search/SearchResponderTest.java
@@ -8,9 +8,7 @@
 import fitnesse.http.Request;
 import fitnesse.http.Response;
 import fitnesse.testutil.FitNesseUtil;
-import fitnesse.wiki.PathParser;
-import fitnesse.wiki.WikiPage;
-import fitnesse.wiki.WikiPageUtil;
+import fitnesse.wiki.*;
 import org.junit.Before;
 import org.junit.Test;
 
@@ -27,6 +25,7 @@ public class SearchResponderTest {
   public void setUp() throws Exception {
     context = FitNesseUtil.makeTestContext();
     WikiPage somePage = WikiPageUtil.addPage(context.getRootPage(), PathParser.parse("SomePage"), "has something in it");
+
     WikiPageUtil.addPage(somePage, PathParser.parse("SomeTest"), "test page content");
     WikiPageUtil.addPage(somePage, PathParser.parse("SomeSuite"), "suite page content");
     request = new MockRequest();
@@ -218,4 +217,14 @@ public void suiteLinkShouldContainFullPagePath() throws Exception {
 
     assertSubString("<a href=\"SomePage.SomeSuite?suite\">Suite</a>", searchPageContent);
   }
+  @Test
+  public void tagsShouldBeEscaped() throws Exception {
+    WikiPage somePage = context.getRootPage().getChildPage("SomePage");
+    PageData data = somePage.getData();
+    data.setAttribute(WikiPageProperty.SUITES, " <script>TEST</script> ");
+    somePage.commit(data);
+    String searchPageContent = getResponseContentUsingSearchString("something");
+
+    assertSubString("&lt;script&gt;TEST&lt;/script&gt;", searchPageContent);
+  }
 }