# HG changeset patch # User Ingo Weinzierl # Date 1271941124 0 # Node ID f550bd27a3f11e42ebf6a36901199909337fa04e # Parent ae946acba005d07d55a17ab57679b5259c69ca00 Html characters in strings inserted by the user are quoted (issue221). gnv/trunk@969 c6561f87-3c4e-4783-a992-168aeb5c3f6f diff -r ae946acba005 -r f550bd27a3f1 gnv/ChangeLog --- a/gnv/ChangeLog Mon Apr 19 15:36:11 2010 +0000 +++ b/gnv/ChangeLog Thu Apr 22 12:58:44 2010 +0000 @@ -1,3 +1,14 @@ +2010-04-22 Ingo Weinzierl + + Issue221 + + * src/main/java/de/intevation/gnv/action/ArtifactDatabaseActionBase.java: + Added methods to quote html characters in strings. + + * src/main/java/de/intevation/gnv/action/WMSAction.java: Call methods to + quote html characters in strings inserted by the user. Used to be safe + from html injections. + 2010-04-19 Hans Plum Issue 241: Set Path to Tomcat Standard Logging diff -r ae946acba005 -r f550bd27a3f1 gnv/src/main/java/de/intevation/gnv/action/ArtifactDatabaseActionBase.java --- a/gnv/src/main/java/de/intevation/gnv/action/ArtifactDatabaseActionBase.java Mon Apr 19 15:36:11 2010 +0000 +++ b/gnv/src/main/java/de/intevation/gnv/action/ArtifactDatabaseActionBase.java Thu Apr 22 12:58:44 2010 +0000 @@ -49,5 +49,30 @@ ActionForward lForward = mapping.findForward(EXCEPTION_FORWARD_ID); return lForward; } + + + protected String encode(String s) { + log.debug("String to encode: " + s); + s = s.replaceAll("<", "<"); + s = s.replaceAll(">", ">"); + s = s.replaceAll("\"", """); + s = s.replaceAll("&", "&"); + + log.debug("Encoded string: " + s); + return s; + } + + + protected String[] encode(String[] s) { + if (s == null) + return null; + + String[] good = new String[s.length]; + for (int i = 0; i < good.length; i++) { + good[i] = encode(s[i]); + } + + return good; + } } // vim:set ts=4 sw=4 si et sta sts=4 fenc=utf8 : diff -r ae946acba005 -r f550bd27a3f1 gnv/src/main/java/de/intevation/gnv/action/WMSAction.java --- a/gnv/src/main/java/de/intevation/gnv/action/WMSAction.java Mon Apr 19 15:36:11 2010 +0000 +++ b/gnv/src/main/java/de/intevation/gnv/action/WMSAction.java Thu Apr 22 12:58:44 2010 +0000 @@ -94,12 +94,12 @@ String[] values = request.getParameterValues(name); String value = request.getParameter(name); InputParameter ip = new DefaultInputParameter(name, - values); + encode(values)); ips.add(ip); if (value != null) { ++params; - diagrammOptions.setValue(name, value); + diagrammOptions.setValue(name, encode(value)); } } @@ -178,6 +178,5 @@ return super.getExceptionForward(mapping); } } - } // vim:set ts=4 sw=4 si et sta sts=4 fenc=utf-8 :