Mercurial > dive4elements > gnv-client

changeset 705:f550bd27a3f1

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Html characters in strings inserted by the user are quoted (issue221). gnv/trunk@969 c6561f87-3c4e-4783-a992-168aeb5c3f6f
author Ingo Weinzierl <ingo.weinzierl@intevation.de>
date Thu, 22 Apr 2010 12:58:44 +0000
parents ae946acba005
children 2659a5b1fa1e
files gnv/ChangeLog gnv/src/main/java/de/intevation/gnv/action/ArtifactDatabaseActionBase.java gnv/src/main/java/de/intevation/gnv/action/WMSAction.java
diffstat 3 files changed, 38 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/gnv/ChangeLog	Mon Apr 19 15:36:11 2010 +0000
+++ b/gnv/ChangeLog	Thu Apr 22 12:58:44 2010 +0000
@@ -1,3 +1,14 @@
+2010-04-22  Ingo Weinzierl <ingo.weinzierl@intevation.de>
+
+	  Issue221
+
+	* src/main/java/de/intevation/gnv/action/ArtifactDatabaseActionBase.java:
+	  Added methods to quote html characters in strings.
+
+	* src/main/java/de/intevation/gnv/action/WMSAction.java: Call methods to
+	  quote html characters in strings inserted by the user. Used to be safe 
+	  from html injections.
+
 2010-04-19  Hans Plum <hans@intevation.de>
 
 	Issue 241: Set Path to Tomcat Standard Logging
--- a/gnv/src/main/java/de/intevation/gnv/action/ArtifactDatabaseActionBase.java	Mon Apr 19 15:36:11 2010 +0000
+++ b/gnv/src/main/java/de/intevation/gnv/action/ArtifactDatabaseActionBase.java	Thu Apr 22 12:58:44 2010 +0000
@@ -49,5 +49,30 @@
         ActionForward lForward = mapping.findForward(EXCEPTION_FORWARD_ID);
         return lForward;
     }
+
+
+    protected String encode(String s) {
+        log.debug("String to encode: " + s);
+        s = s.replaceAll("<", "&lt;");
+        s = s.replaceAll(">", "&gt;");
+        s = s.replaceAll("\"", "&quot;");
+        s = s.replaceAll("&", "&amp;");
+
+        log.debug("Encoded string: " + s);
+        return s;
+    }
+
+
+    protected String[] encode(String[] s) {
+        if (s == null)
+            return null;
+
+        String[] good = new String[s.length];
+        for (int i = 0; i < good.length; i++) {
+            good[i] = encode(s[i]);
+        }
+
+        return good;
+    }
 }
 // vim:set ts=4 sw=4 si et sta sts=4 fenc=utf8 :
--- a/gnv/src/main/java/de/intevation/gnv/action/WMSAction.java	Mon Apr 19 15:36:11 2010 +0000
+++ b/gnv/src/main/java/de/intevation/gnv/action/WMSAction.java	Thu Apr 22 12:58:44 2010 +0000
@@ -94,12 +94,12 @@
                         String[] values   = request.getParameterValues(name);
                         String value      = request.getParameter(name);
                         InputParameter ip = new DefaultInputParameter(name,
-                                values);
+                                encode(values));
                         ips.add(ip);
 
                         if (value != null) {
                             ++params;
-                            diagrammOptions.setValue(name, value);
+                            diagrammOptions.setValue(name, encode(value));
                         }
                     }
 
@@ -178,6 +178,5 @@
             return super.getExceptionForward(mapping);
         }
     }
-
 }
 // vim:set ts=4 sw=4 si et sta sts=4 fenc=utf-8 :
http://dive4elements.wald.intevation.org