LPD-55453 Escape Parameter URL in RenderStructureFieldMVCResourceCommand

mxs2 · brianchandotcom · commit 5ca8331da450 · 2025-06-07T09:07:38.000-03:00
diff --git a/modules/apps/dynamic-data-mapping/dynamic-data-mapping-web/src/main/java/com/liferay/dynamic/data/mapping/web/internal/portlet/action/RenderStructureFieldMVCResourceCommand.java b/modules/apps/dynamic-data-mapping/dynamic-data-mapping-web/src/main/java/com/liferay/dynamic/data/mapping/web/internal/portlet/action/RenderStructureFieldMVCResourceCommand.java
@@ -19,6 +19,7 @@
 import com.liferay.portal.kernel.servlet.ServletResponseUtil;
 import com.liferay.portal.kernel.theme.ThemeDisplay;
 import com.liferay.portal.kernel.util.ContentTypes;
+import com.liferay.portal.kernel.util.HtmlUtil;
 import com.liferay.portal.kernel.util.ParamUtil;
 import com.liferay.portal.kernel.util.Portal;
 import com.liferay.portal.kernel.util.Validator;
@@ -91,8 +92,8 @@ private DDMFormFieldRenderingContext _createDDMFormFieldRenderingContext(
 			httpServletRequest.setAttribute(WebKeys.PORTLET_ID, portletId);
 		}
 
-		String portletNamespace = ParamUtil.getString(
-			httpServletRequest, "portletNamespace");
+		String portletNamespace = HtmlUtil.escapeAttribute(
+			ParamUtil.getString(httpServletRequest, "portletNamespace"));
 
 		httpServletRequest.setAttribute(
 			"aui:form:portletNamespace", portletNamespace);
@@ -111,7 +112,8 @@ private DDMFormFieldRenderingContext _createDDMFormFieldRenderingContext(
 		ddmFormFieldRenderingContext.setMode(
 			ParamUtil.getString(httpServletRequest, "mode"));
 		ddmFormFieldRenderingContext.setNamespace(
-			ParamUtil.getString(httpServletRequest, "namespace"));
+			HtmlUtil.escapeAttribute(
+				ParamUtil.getString(httpServletRequest, "namespace")));
 		ddmFormFieldRenderingContext.setPortletNamespace(portletNamespace);
 		ddmFormFieldRenderingContext.setReadOnly(
 			ParamUtil.getBoolean(httpServletRequest, "readOnly"));
