From d37ded3ddc3f883f8461932bea8a3469ed0a52f7 Mon Sep 17 00:00:00 2001
From: Graham Knop <graham@plainblack.com>
Date: Mon, 6 Oct 2008 15:49:30 +0000
Subject: [PATCH] fixed: Cross site scripting issue on operation pages

---
 docs/changelog/7.x.x.txt  | 1 +
 lib/WebGUI/Session/Url.pm | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/docs/changelog/7.x.x.txt b/docs/changelog/7.x.x.txt
index 3360069f7..e1fd7d004 100644
--- a/docs/changelog/7.x.x.txt
+++ b/docs/changelog/7.x.x.txt
@@ -20,6 +20,7 @@
  - fixed: testEnvironment.pl can't find WebGUI modules after installing a prerequisite
  - fixed: Combo box does not show possible values in Thingy (SDH Consulting
    Group)
+ - fixed: Cross site scripting issue on operation pages
 
 7.6.0
  - added: users may now customize the post received page for the CS
diff --git a/lib/WebGUI/Session/Url.pm b/lib/WebGUI/Session/Url.pm
index cc4a0433b..32f6c793b 100644
--- a/lib/WebGUI/Session/Url.pm
+++ b/lib/WebGUI/Session/Url.pm
@@ -437,8 +437,8 @@ sub page {
     if ($useFullUrl) {
         $url = $self->getSiteURL();
     }
-	my $path = $self->session->asset ? $self->session->asset->get("url") : $self->getRequestedUrl;
-	$url .= $self->gateway($path, $pairs, $skipPreventProxyCache);
+    my $path = $self->session->asset ? $self->session->asset->get("url") : $self->escape($self->getRequestedUrl);
+    $url .= $self->gateway($path, $pairs, $skipPreventProxyCache);
     return $url;
 }