fixes primefaces#3418 - dock XSS

cnsgithub · cnsgithub · commit 7c0d22141eee · 2018-03-06T14:56:49.000+01:00
diff --git a/src/main/java/org/primefaces/component/dock/DockRenderer.java b/src/main/java/org/primefaces/component/dock/DockRenderer.java
@@ -108,7 +108,12 @@ protected void encodeItemLabel(FacesContext context, MenuItem menuitem) throws I
         writer.startElement("span", null);
 
         if (menuitem.getValue() != null) {
-            writer.write((String) menuitem.getValue());
+            if (menuitem.isEscape()) {
+                writer.writeText((String) menuitem.getValue(), "value");
+            } 
+            else {
+                writer.write((String) menuitem.getValue());
+            }
         }
 
         writer.endElement("span");
