Mercurial > dive4elements > gnv-client
changeset 705:f550bd27a3f1
Html characters in strings inserted by the user are quoted (issue221).
gnv/trunk@969 c6561f87-3c4e-4783-a992-168aeb5c3f6f
author | Ingo Weinzierl <ingo.weinzierl@intevation.de> |
---|---|
date | Thu, 22 Apr 2010 12:58:44 +0000 |
parents | ae946acba005 |
children | 2659a5b1fa1e |
files | gnv/ChangeLog gnv/src/main/java/de/intevation/gnv/action/ArtifactDatabaseActionBase.java gnv/src/main/java/de/intevation/gnv/action/WMSAction.java |
diffstat | 3 files changed, 38 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/gnv/ChangeLog Mon Apr 19 15:36:11 2010 +0000 +++ b/gnv/ChangeLog Thu Apr 22 12:58:44 2010 +0000 @@ -1,3 +1,14 @@ +2010-04-22 Ingo Weinzierl <ingo.weinzierl@intevation.de> + + Issue221 + + * src/main/java/de/intevation/gnv/action/ArtifactDatabaseActionBase.java: + Added methods to quote html characters in strings. + + * src/main/java/de/intevation/gnv/action/WMSAction.java: Call methods to + quote html characters in strings inserted by the user. Used to be safe + from html injections. + 2010-04-19 Hans Plum <hans@intevation.de> Issue 241: Set Path to Tomcat Standard Logging
--- a/gnv/src/main/java/de/intevation/gnv/action/ArtifactDatabaseActionBase.java Mon Apr 19 15:36:11 2010 +0000 +++ b/gnv/src/main/java/de/intevation/gnv/action/ArtifactDatabaseActionBase.java Thu Apr 22 12:58:44 2010 +0000 @@ -49,5 +49,30 @@ ActionForward lForward = mapping.findForward(EXCEPTION_FORWARD_ID); return lForward; } + + + protected String encode(String s) { + log.debug("String to encode: " + s); + s = s.replaceAll("<", "<"); + s = s.replaceAll(">", ">"); + s = s.replaceAll("\"", """); + s = s.replaceAll("&", "&"); + + log.debug("Encoded string: " + s); + return s; + } + + + protected String[] encode(String[] s) { + if (s == null) + return null; + + String[] good = new String[s.length]; + for (int i = 0; i < good.length; i++) { + good[i] = encode(s[i]); + } + + return good; + } } // vim:set ts=4 sw=4 si et sta sts=4 fenc=utf8 :
--- a/gnv/src/main/java/de/intevation/gnv/action/WMSAction.java Mon Apr 19 15:36:11 2010 +0000 +++ b/gnv/src/main/java/de/intevation/gnv/action/WMSAction.java Thu Apr 22 12:58:44 2010 +0000 @@ -94,12 +94,12 @@ String[] values = request.getParameterValues(name); String value = request.getParameter(name); InputParameter ip = new DefaultInputParameter(name, - values); + encode(values)); ips.add(ip); if (value != null) { ++params; - diagrammOptions.setValue(name, value); + diagrammOptions.setValue(name, encode(value)); } } @@ -178,6 +178,5 @@ return super.getExceptionForward(mapping); } } - } // vim:set ts=4 sw=4 si et sta sts=4 fenc=utf-8 :