From 12dbf8d9509d7078205aa5e3445c9e04b4a98b1d Mon Sep 17 00:00:00 2001 From: Marty Pradere Date: Mon, 22 Jun 2026 14:36:24 -0600 Subject: [PATCH] Escape HTML in LDKController to prevent XSS Escape each container-scoped-table validation message with PageFlowUtil.filter before joining with
in the table-inspection view, since direct DB inserts can place arbitrary content in those messages. Also escape the redirect URL in the invalid-redirect error message by switching from HtmlString.unsafe to HtmlString.of. --- LDK/src/org/labkey/ldk/LDKController.java | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/LDK/src/org/labkey/ldk/LDKController.java b/LDK/src/org/labkey/ldk/LDKController.java index 6709803f..b57cdc7f 100644 --- a/LDK/src/org/labkey/ldk/LDKController.java +++ b/LDK/src/org/labkey/ldk/LDKController.java @@ -92,6 +92,7 @@ import java.util.Map; import java.util.Set; import java.util.function.Predicate; +import java.util.stream.Collectors; public class LDKController extends SpringActionController { @@ -439,9 +440,9 @@ public ModelAndView getView(Object form, BindException errors) throws Exception List messages = service.validateContainerScopedTables(false); String sb = "This page is designed to inspect all registered container scoped tables and report any tables with duplicate keys in the same container. This should be enforced by the user schema; however, direct DB inserts will bypass this check.

" + - StringUtils.join(messages, "
"); + messages.stream().map(PageFlowUtil::filter).collect(Collectors.joining("
")); - return new HtmlView(HtmlString.of(sb)); + return new HtmlView(HtmlString.unsafe(sb)); } @Override @@ -912,7 +913,7 @@ public ModelAndView getView(Object form, BindException errors) throws Exception } catch (URISyntaxException e) { - return new HtmlView(HtmlString.unsafe("Invalid redirect URL set: " + urlString)); + return new HtmlView(HtmlString.of("Invalid redirect URL set: " + urlString)); } } }