From 4faa39bb33d183897b47b422c9f441cb09aa981a Mon Sep 17 00:00:00 2001
From: srosse <none@none>
Date: Fri, 27 Apr 2012 11:19:36 +0200
Subject: [PATCH] OO-239: escaped the title of Ext popup windows

---
 .../closablewrapper/CloseableModalWindowController.java     | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/olat/core/gui/control/generic/closablewrapper/CloseableModalWindowController.java b/src/main/java/org/olat/core/gui/control/generic/closablewrapper/CloseableModalWindowController.java
index 443bfe34be0..3897c9d4310 100644
--- a/src/main/java/org/olat/core/gui/control/generic/closablewrapper/CloseableModalWindowController.java
+++ b/src/main/java/org/olat/core/gui/control/generic/closablewrapper/CloseableModalWindowController.java
@@ -19,6 +19,7 @@
  */
 package org.olat.core.gui.control.generic.closablewrapper;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.olat.core.gui.UserRequest;
 import org.olat.core.gui.components.Component;
 import org.olat.core.gui.components.link.Link;
@@ -54,7 +55,10 @@ public class CloseableModalWindowController extends BasicController {
 	public CloseableModalWindowController(UserRequest ureq, WindowControl wControl, String title, Component modalContent, String id) {
 		super(ureq, wControl);
 		mainVC = createVelocityContainer("modalwindow");
-		if (title != null) mainVC.contextPut("title", title);
+		if (title != null) {
+			String escapedTitle = StringEscapeUtils.escapeJavaScript(StringEscapeUtils.escapeHtml(title));
+			mainVC.contextPut("title", escapedTitle);
+		}
 		mainVC.put("content", modalContent);
 		setCloseable(true);
 		setIgnoreCookie(false);
-- 
GitLab