Merge pull request #89 from The-Lady/EMPT110

RA-1875: EMPT110 Fixed XSS Vulnerability in AppId field on User App Page

Author: isears

omod/src/main/java/org/openmrs/module/referenceapplication/page/controller/UserAppPageController.java

@@ -15,6 +15,7 @@
 
 import javax.servlet.http.HttpSession;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.codehaus.jackson.map.ObjectMapper;
@@ -52,7 +53,7 @@ public void get(PageModel model, @RequestParam(value = "appId", required = false
 	public String post(PageModel model, @ModelAttribute(value = "appId") @BindParams UserApp userApp,
 	                   @RequestParam("action") String action,
 	                   @SpringBean("appFrameworkService") AppFrameworkService service, HttpSession session, UiUtils ui) {
-		
+
 		try {
 			AppDescriptor descriptor = mapper.readValue(userApp.getJson(), AppDescriptor.class);
 			if (!userApp.getAppId().equals(descriptor.getId())) {
@@ -65,14 +66,14 @@ public String post(PageModel model, @ModelAttribute(value = "appId") @BindParams
 				service.saveUserApp(userApp);
 
 				InfoErrorMessageUtil.flashInfoMessage(session,
-				    ui.message("referenceapplication.app.userApp.save.success", userApp.getAppId()));
+				    ui.message("referenceapplication.app.userApp.save.success", StringEscapeUtils.escapeHtml(userApp.getAppId())));
 
 				return "redirect:/referenceapplication/manageApps.page";
 			}
 		}
 		catch (Exception e) {
 			session.setAttribute(UiCommonsConstants.SESSION_ATTRIBUTE_ERROR_MESSAGE,
-			    ui.message("referenceapplication.app.userApp.save.fail", userApp.getAppId()));
+			    ui.message("referenceapplication.app.userApp.save.fail", StringEscapeUtils.escapeHtml(userApp.getAppId())));
 		}
 
 		model.addAttribute("userApp", userApp);