Escaping params in a form with ActionURL

2021-06-09T15:09:51Z

Hi everyone, i have a jsp with a form and its actionURL is defined like this:

<liferay-portlet:actionURL portletName="buscador_WAR_cntxesuialumnosportlet" plid="${plidBuscador}" varImpl="searchTermURL" name="searchTerm" >
	<liferay-portlet:param name="mvcPath" value="xxxx" />
	<liferay-portlet:param name="back" value='<%=yyyy%>' />
</liferay-portlet:actionURL>

and then there's the form like this:

	<form action="${fn:escapeXml(searchTermURL)}" method="get" name="buscador-form" class="buscador-form">
		<liferay-portlet:renderURLParams varImpl="searchTermURL"/>
		<input name="term" placeholder='<liferay-ui:message key="buscador.placeholder" />' type="text" value="${fn:escapeXml(term)}" class="buscador-input" />
        <input type="submit" name="tiny-buscador-button" class="tiny-buscador-button" value="" />
	</form>

The problem i have is that a test run by Acunetix software is detecting some Cross-site scripting vulnerabilities, for which i need to escape the characters.

It detected one with the <input term> which seems to have been solved by using the ${fn:escapeXml(term)}, but then it threw another with the param "back" defined in the actionURL portlet. For this, i tried using the ${fn:escapeXml(term)}, but to no avail. The algorithm is setting the parameter to

"</script><script>0H6Q(9003)</script>" and i would need to escape it. I've read about the option escapeXML, but i don't know if it would be helpful for this case, and i'm not sure how and where to use it exactly.

In case of being helpful, would it have to be put in the definition of the parameter "back" or in the liferay-portlet:actionURL?

Or maybe in the liferay-portlet:renderURLParams variable?

By the way, i'm using Liferay 6.1.2 CE (i know it's pretty old, but it's out of my hands to update it...)

Thanks in advance!