From 2367f52aafc224f1c0a89ac6c63712b3d767c788 Mon Sep 17 00:00:00 2001
From: John Feminella <jxf@jxf.me>
Date: Thu, 5 May 2016 14:23:14 -0400
Subject: [PATCH] Remove potential XSS attack in Freemarker example

Since the user controls the value of `spring.status.value`, you wouldn't want to echo unescaped values here in this form. Otherwise one could submit a value of, say, `"/> <script>alert("pwned")</script>`.
---
 src/asciidoc/web-view.adoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/asciidoc/web-view.adoc b/src/asciidoc/web-view.adoc
index 637990f8f2..f200e5a4d8 100644
--- a/src/asciidoc/web-view.adoc
+++ b/src/asciidoc/web-view.adoc
@@ -331,7 +331,7 @@ Example code is shown below for the `personFormV`/`personFormF` views configured
 			<@spring.bind "myModelObject.name"/>
 			<input type="text"
 				name="${spring.status.expression}"
-				value="${spring.status.value?default("")}"/><br>
+				value="${spring.status.value?html}"/><br>
 			<#list spring.status.errorMessages as error> <b>${error}</b> <br> </#list>
 			<br>
 			...