XSS vulnerability with bag.do

[aturling]

Our security team found a cross-site scripting vulnerability in bag.do with subtabs, for example:

(mine_url)/bag.do?subtab=%22%3E%3C%2Fa%3E%3CScRiPt%3Ealert%28%27w1b8m6yewq%27%29%3C%2FsCrIpT%3E%22%3E%3Cscript%3Ealert(150)%3C/script%3E

[aturling]

I believe the solution is similar to #950.

In SubMenuController.java:

Change

        if (subtab != null && subtab.length() != 0) {
            webState.addSubtab("subtab" + pageName, subtab);
        }

to

        if (subtab != null && subtab.length() != 0) {
            webState.addSubtab("subtab" + pageName, StringEscapeUtils.escapeHtml(subtab));
        }

and add at the top:
import org.apache.commons.lang.StringEscapeUtils;