diff --git a/serverApps/src/main/servlet/org/compiere/wstore/LocationServlet.java b/serverApps/src/main/servlet/org/compiere/wstore/LocationServlet.java
index 414d35bcb7..514ef440f9 100644
--- a/serverApps/src/main/servlet/org/compiere/wstore/LocationServlet.java
+++ b/serverApps/src/main/servlet/org/compiere/wstore/LocationServlet.java
@@ -32,13 +32,14 @@ import org.compiere.model.MLocation;
import org.compiere.model.MRegion;
import org.compiere.util.CLogger;
import org.compiere.util.WebEnv;
-
+import org.compiere.util.Util;
/**
* Location Servlet
*
* @author Jorg Janke
* @version $Id: LocationServlet.java,v 1.5 2006/07/30 00:53:21 jjanke Exp $
+ * @author Michael Judd BF [2728388] - fix potential CSS velnerability
*/
public class LocationServlet extends HttpServlet
{
@@ -110,8 +111,9 @@ public class LocationServlet extends HttpServlet
response.setCharacterEncoding("UTF-8");
PrintWriter out = response.getWriter();
-
String cmd = request.getParameter("cmd");
+ cmd = Util.maskHTML(cmd, true);
+
if(cmd == null)
{
out.println("Unknown Request: NULL");
@@ -137,7 +139,7 @@ public class LocationServlet extends HttpServlet
}
out.println("");
}else if(cmd.equalsIgnoreCase("regions")){
- String country = request.getParameter("country");
+ String country = Util.maskHTML(request.getParameter("country"), true);
try{
int countryId = Integer.parseInt(country);
diff --git a/serverApps/src/main/servlet/org/compiere/wstore/SearchServlet.java b/serverApps/src/main/servlet/org/compiere/wstore/SearchServlet.java
index 87179802b7..03b93797bc 100644
--- a/serverApps/src/main/servlet/org/compiere/wstore/SearchServlet.java
+++ b/serverApps/src/main/servlet/org/compiere/wstore/SearchServlet.java
@@ -45,6 +45,7 @@ import org.compiere.util.WebUtil;
*
* @author Jorg Janke
* @version $Id$
+ * @author Michael Judd BF [2728388] - fix potential CSS velnerability
*/
public class SearchServlet extends HttpServlet
{
@@ -126,7 +127,7 @@ public class SearchServlet extends HttpServlet
int warehouseID = WebUtil.getParameterAsInt(request, "warehouseID");
int partnerID = WebUtil.getParameterAsInt(request, "partnerID");
- String get = request.getParameter("get");
+ String get = Util.maskHTML(request.getParameter("get"), true);
if(get == null)
{
out.println("Unknown Request: NULL");