Skip to content

Commit

Permalink
Merge pull request #7367 from KD23243/removejsfromcallback
Browse files Browse the repository at this point in the history
  • Loading branch information
@pavinduLakshan
pavinduLakshan authored Jan 23, 2025
2 parents c629a68 + 85c90ff commit a99d84e
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 4 deletions.
5 changes: 5 additions & 0 deletions .changeset/curly-bags-relate.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
"@wso2is/identity-apps-core": patch
---

Add sanitation to self registration callback
18 changes: 14 additions & 4 deletions ...ity-apps-core/apps/recovery-portal/src/main/webapp/self-registration-username-request.jsp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -737,13 +737,18 @@

<div class="ui divider hidden"></div>
<%
if (!StringUtils.equalsIgnoreCase(backToUrl,"null") && !StringUtils.isBlank(backToUrl)) {
if (!StringUtils.equalsIgnoreCase(backToUrl, "null") &&
!StringUtils.isBlank(backToUrl) &&
!backToUrl.toLowerCase().contains("javascript:") &&
!backToUrl.toLowerCase().contains("file:") &&
!backToUrl.toLowerCase().contains("ftp:") &&
!backToUrl.toLowerCase().contains("data:")) {
%>
<div class="buttons mt-2">
<div class="field external-link-container text-small">
<%=IdentityManagementEndpointUtil.i18n(recoveryResourceBundle,
"Already.have.an.account")%>
<a href="<%= StringEscapeUtils.escapeHtml4(backToUrl) %>">
<a href="<%=backToUrl%>">
<%=IdentityManagementEndpointUtil.i18n(recoveryResourceBundle, "Sign.in")%>
</a>
</div>
Expand Down Expand Up @@ -1296,13 +1301,18 @@
</div>
<div class="ui divider hidden"></div>
<%
if (!StringUtils.equalsIgnoreCase(backToUrl,"null") && !StringUtils.isBlank(backToUrl)) {
if (!StringUtils.equalsIgnoreCase(backToUrl, "null") &&
!StringUtils.isBlank(backToUrl) &&
!backToUrl.toLowerCase().contains("javascript:") &&
!backToUrl.toLowerCase().contains("file:") &&
!backToUrl.toLowerCase().contains("ftp:") &&
!backToUrl.toLowerCase().contains("data:")) {
%>
<div class="buttons mt-2">
<div class="field external-link-container text-small">
<%=IdentityManagementEndpointUtil.i18n(recoveryResourceBundle,
"Already.have.an.account")%>
<a href="<%= StringEscapeUtils.escapeHtml4(backToUrl) %>">
<a href="<%=backToUrl%>">
<%=IdentityManagementEndpointUtil.i18n(recoveryResourceBundle, "Sign.in")%>
</a>
</div>
Expand Down

0 comments on commit a99d84e

Please sign in to comment.