From 7a529105bea6c073f7d069d847b3bfef995af50f Mon Sep 17 00:00:00 2001
From: ale <ale@ale-VirtualBox>
Date: Thu, 21 Jan 2021 18:41:54 +0100
Subject: [PATCH] HTML-escaping of xss payload in comment field

---
 src/web/spark-form.jsp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/web/spark-form.jsp b/src/web/spark-form.jsp
index d02ddf7ae..057666f4c 100644
--- a/src/web/spark-form.jsp
+++ b/src/web/spark-form.jsp
@@ -8,6 +8,7 @@
 <%@ page import="org.apache.commons.fileupload.DiskFileUpload"%>
 <%@ page import="java.util.List"%>
 <%@ page import="org.apache.commons.fileupload.FileUploadException"%>
+<%@ page import="org.apache.commons.text.StringEscapeUtils"%>
 <%@ page import="org.jivesoftware.util.Log"%>
 <%@ page import="org.apache.commons.fileupload.FileItem"%>
 <%@ page import="java.util.Iterator"%>
@@ -331,7 +332,7 @@
     <tbody>
         <tr>
             <td>
-                <textarea name="optionalMessage" cols="40" rows="3" wrap="virtual"><%= optionalMessage%></textarea>
+                <textarea name="optionalMessage" cols="40" rows="3" wrap="virtual"><%= StringEscapeUtils.escapeHtml4(optionalMessage)%></textarea>
 
             </td>
         </tr>