From 3e926f83e54108b29c76296b1bd9da9da352bac5 Mon Sep 17 00:00:00 2001
From: ale <ale@ale-VirtualBox>
Date: Thu, 21 Jan 2021 19:48:28 +0100
Subject: [PATCH] HTML-escaping of xss payload in NodeJS Applcation Path

---
 src/web/nodejs.jsp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/web/nodejs.jsp b/src/web/nodejs.jsp
index 8b4bd5c..fd6cb6f 100644
--- a/src/web/nodejs.jsp
+++ b/src/web/nodejs.jsp
@@ -3,6 +3,7 @@
 <%@ page import="org.ifsoft.nodejs.openfire.*" %>
 <%@ page import="org.jivesoftware.openfire.*" %>
 <%@ page import="org.jivesoftware.util.*" %>
+<%@ page import="org.apache.commons.text.StringEscapeUtils"%>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
 <%
@@ -50,7 +51,7 @@
             <fmt:message key="config.page.configuration.path"/>
         </td>
         <td><input type="text" size="50" maxlength="100" name="path"
-               value="<%= JiveGlobals.getProperty("org.ifsoft.nodejs.openfire.path", plugin.getPath()) %>">
+               value="<%= StringEscapeUtils.escapeHtml4(JiveGlobals.getProperty("org.ifsoft.nodejs.openfire.path", plugin.getPath())) %>">
         </td>
         </tr>            
             </tbody>