From d7c66dc996035f21a581804febb2518328c14dcc Mon Sep 17 00:00:00 2001
From: bgrozev <boris@jitsi.org>
Date: Tue, 22 Sep 2020 12:08:51 -0500
Subject: [PATCH] fix: Escape the display name. (#593)

---
 src/main/java/org/jitsi/jicofo/auth/ShibbolethHandler.java | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/jitsi/jicofo/auth/ShibbolethHandler.java b/src/main/java/org/jitsi/jicofo/auth/ShibbolethHandler.java
index 195ef2ebfc..976e8de4e7 100644
--- a/src/main/java/org/jitsi/jicofo/auth/ShibbolethHandler.java
+++ b/src/main/java/org/jitsi/jicofo/auth/ShibbolethHandler.java
@@ -17,6 +17,7 @@
  */
 package org.jitsi.jicofo.auth;
 
+import com.google.common.html.*;
 import org.eclipse.jetty.server.*;
 import org.eclipse.jetty.server.handler.*;
 
@@ -240,7 +241,7 @@ private void doHandle(
         boolean close = "true".equalsIgnoreCase(request.getParameter("close"));
 
         responseWriter.println("<html><head><head/><body>");
-        responseWriter.println("<h1>Hello " + displayName + "!<h1/>");
+        responseWriter.println("<h1>Hello " + HtmlEscapers.htmlEscaper().escape(displayName) + "!<h1/>");
         if (!close)
         {
             responseWriter.println(