Improved: Prevent URL parameters manipulation (OFBIZ-13147)

Reverts the revert in OFBIZ-13162 Adds a @SuppressWarnings("unused") to MacroFormRenderer::executeMacro
apache · Nov 26, 2024 · 578cb53 · 578cb53
1 parent eee6ccb
commit 578cb53
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java b/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java
@@ -157,6 +157,7 @@ private void executeMacro(Appendable writer, String macro) {
      * @param locale
      * @param macro
      */
+    @SuppressWarnings("unused")
     private void executeMacro(Appendable writer, Locale locale, String macro) {
         ftlWriter.processFtlString(writer, locale, macro);
     }

diff --git a/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroMenuRenderer.java b/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroMenuRenderer.java
@@ -268,7 +268,12 @@ public void renderLink(Appendable writer, Map<String, Object> context, MenuLink
                 targetParameters.append(parameter.getKey());
                 targetParameters.append("'");
                 targetParameters.append(",'value':'");
-                targetParameters.append(parameter.getValue());
+                UtilCodec.SimpleEncoder simpleEncoder = (UtilCodec.SimpleEncoder) context.get("simpleEncoder");
+                if (simpleEncoder != null) {
+                    targetParameters.append(simpleEncoder.encode(parameter.getValue()));
+                } else {
+                    targetParameters.append(parameter.getValue());
+                }
                 targetParameters.append("'}");
             }
             targetParameters.append("]");