Author: snoopdave
Date: Mon Mar 19 12:25:59 2007
New Revision: 520056
URL: http://svn.apache.org/viewvc?view=rev&rev=520056
Log:
Fixing XSS vulnerability by stripping HTML from incoming comment fields and
escapeing HTMLO when fields are displayed in Roller 2.3, Roller 3.0, Roller 3.1
and trunk
Removed:
incubator/roller/branches/roller_3.0/src/org/apache/roller/ui/authoring/struts/formbeans/CommentFormEx.java
incubator/roller/branches/roller_3.1/src/org/apache/roller/ui/authoring/struts/formbeans/CommentFormEx.java
incubator/roller/trunk/src/org/apache/roller/ui/authoring/struts/formbeans/CommentFormEx.java
Modified:
incubator/roller/branches/roller_2.3/CHANGES.txt
incubator/roller/branches/roller_2.3/src/org/apache/roller/presentation/weblog/formbeans/CommentFormEx.java
incubator/roller/branches/roller_2.3/web/WEB-INF/classes/comments.vm
incubator/roller/branches/roller_2.3/web/weblog/CommentManagement.jsp
incubator/roller/branches/roller_3.0/CHANGES.txt
incubator/roller/branches/roller_3.0/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
incubator/roller/branches/roller_3.0/web/WEB-INF/jsps/authoring/CommentManagement.jsp
incubator/roller/branches/roller_3.0/web/WEB-INF/velocity/weblog.vm
incubator/roller/branches/roller_3.1/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
incubator/roller/branches/roller_3.1/web/WEB-INF/jsps/authoring/CommentManagement.jsp
incubator/roller/branches/roller_3.1/web/WEB-INF/velocity/weblog.vm
incubator/roller/trunk/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
incubator/roller/trunk/web/WEB-INF/jsps/authoring/CommentManagement.jsp
incubator/roller/trunk/web/WEB-INF/velocity/weblog.vm
Modified: incubator/roller/branches/roller_2.3/CHANGES.txt
URL:
http://svn.apache.org/viewvc/incubator/roller/branches/roller_2.3/CHANGES.txt?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
--- incubator/roller/branches/roller_2.3/CHANGES.txt (original)
+++ incubator/roller/branches/roller_2.3/CHANGES.txt Mon Mar 19 12:25:59 2007
@@ -6,13 +6,24 @@
*** Security risk in comment form
-Allowing commenters to leave HTML in comments is a potential security risk because it allows commenters can add malicious Javascipt code. You can disable HTML in comments via the Roller admin interface, but in Roller 2.3 and earlier versions of Roller, attackers could still add malicious HTML to the name, email and URL fields.
+Allowing commenters to leave HTML in comments is a potential security risk
+because it allows commenters can add malicious Javascipt code. You can
+disable HTML in comments via the Roller admin interface, but in Roller 2.3 and
+earlier versions of Roller, attackers could still add malicious HTML to the
+name, email and URL fields.
-We fixed the problem in Roller 2.3.1 and all subsequent versions of Roller by stripping all HTML from name, email and comment fields at comment post time.
+We fixed the problem in Roller 2.3.1 and all subsequent versions of
+Roller by stripping all HTML from name, email and comment fields at
+comment post time. Also, we do HTML escaping whenever we display the
+suspect fields.
*** Licensing issue with JavaMail and Activation jars
-The JavaMail and Activation jars (mail.jar and activation.jar) included in Roller 2.3 were licensed under Sun's Binary Code License, which is incompatible with Apache licensing policy. So these jars have been removed from the release and instructions have been added to the Installation Guide that explain how to get them and add them to Roller.
+The JavaMail and Activation jars (mail.jar and activation.jar) included in
+Roller 2.3 were licensed under Sun's Binary Code License, which is incompatible
+with Apache licensing policy. So these jars have been removed from the release
+and instructions have been added to the Installation Guide that explain
+how to get them and add them to Roller.
Roller 2.3: improvements and bug fixes, no major new features
Modified:
incubator/roller/branches/roller_2.3/src/org/apache/roller/presentation/weblog/formbeans/CommentFormEx.java
URL:
http://svn.apache.org/viewvc/incubator/roller/branches/roller_2.3/src/org/apache/roller/presentation/weblog/formbeans/CommentFormEx.java?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
---
incubator/roller/branches/roller_2.3/src/org/apache/roller/presentation/weblog/formbeans/CommentFormEx.java
(original)
+++
incubator/roller/branches/roller_2.3/src/org/apache/roller/presentation/weblog/formbeans/CommentFormEx.java
Mon Mar 19 12:25:59 2007
@@ -114,6 +114,8 @@
public void copyTo(org.apache.roller.pojos.CommentData dataHolder, Locale locale)
throws RollerException
{
+ super.copyTo(dataHolder, locale);
+
if (!StringUtils.isEmpty(name)) {
name = Utilities.removeHTML(name);
}
@@ -123,7 +125,9 @@
if (!StringUtils.isEmpty(email)) {
email = Utilities.removeHTML(email);
}
- super.copyTo(dataHolder, locale);
+ if (!StringUtils.isEmpty(remoteHost)) {
+ remoteHost = Utilities.removeHTML(remoteHost);
+ }
if (getSpam() == null) dataHolder.setSpam(Boolean.FALSE);
if (getNotify() == null) dataHolder.setNotify(Boolean.FALSE);
}
Modified: incubator/roller/branches/roller_2.3/web/WEB-INF/classes/comments.vm
URL:
http://svn.apache.org/viewvc/incubator/roller/branches/roller_2.3/web/WEB-INF/classes/comments.vm?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
--- incubator/roller/branches/roller_2.3/web/WEB-INF/classes/comments.vm
(original)
+++ incubator/roller/branches/roller_2.3/web/WEB-INF/classes/comments.vm Mon
Mar 19 12:25:59 2007
@@ -61,15 +61,15 @@
<p class="comment-details">
$text.get("macro.weblog.postedby")
#if (!$stringUtils.isEmpty($comment.name) &&
!$stringUtils.isEmpty($comment.remoteHost))
- <b>$comment.name</b> ($comment.remoteHost)
+ <b>$utilities.escapeHTML($comment.name)</b>
($utilities.escapeHTML($comment.remoteHost))
#elseif (!$stringUtils.isEmpty($comment.name))
- <b>$comment.name</b>
+ <b>$utilities.escapeHTML($comment.name)</b>
#elseif (!$stringUtils.isEmpty($comment.remoteHost))
- <b>$comment.remoteHost</b>
+ <b>$utilities.escapeHTML($comment.remoteHost)</b>
#end
$text.get("macro.weblog.on") $dateFormatter.format($comment.postTime)
#if( $stringUtils.isNotEmpty($comment.url) )
- $text.get( "macro.weblog.postedbywebsite", [$comment.url,
$comment.url] )
+ $text.get( "macro.weblog.postedbywebsite",
[$utilities.escapeHTML($comment.url), $utilities.escapeHTML($comment.url)] )
#end
#if( $showPermalink )
<a href="${ctxPath}${entry.permaLink}#comment${velocityCount}"
@@ -199,15 +199,15 @@
<table cellspacing="0" cellpadding="1" border="0" width="95%">
<tr><th>$text.get( "macro.weblog.name" )</th>
- <td><input type="text" name="name" value="$commentForm.name" size="50"
maxlength="255" /></td>
+ <td><input type="text" name="name" value="$utilities.escapeHTML($commentForm.name)"
size="50" maxlength="255" /></td>
</tr>
<tr><th>$text.get( "macro.weblog.email" )</th>
- <td><input type="text" name="email" value="$commentForm.email" size="50"
maxlength="255" /></td>
+ <td><input type="text" name="email" value="$utilities.escapeHTML($commentForm.email)"
size="50" maxlength="255" /></td>
</tr>
<tr><th>$text.get( "macro.weblog.url" )</th>
- <td><input type="text" name="url" value="$commentForm.url" size="50"
maxlength="255" /></td>
+ <td><input type="text" name="url" value="$utilities.escapeHTML($commentForm.url)"
size="50" maxlength="255" /></td>
</tr>
#if ($pageModel.emailComments)
<tr>
Modified: incubator/roller/branches/roller_2.3/web/weblog/CommentManagement.jsp
URL:
http://svn.apache.org/viewvc/incubator/roller/branches/roller_2.3/web/weblog/CommentManagement.jsp?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
--- incubator/roller/branches/roller_2.3/web/weblog/CommentManagement.jsp
(original)
+++ incubator/roller/branches/roller_2.3/web/weblog/CommentManagement.jsp Mon
Mar 19 12:25:59 2007
@@ -303,27 +303,27 @@
<c:choose>
<c:when test="${!empty comment.email && !empty
comment.name}">
<fmt:message
key="commentManagement.commentByBoth" >
- <fmt:param value="${comment.name}" />
- <fmt:param value="${comment.email}" />
+ <fmt:param><c:out value="${comment.name}"
/></fmt:param>
+ <fmt:param><c:out value="${comment.email}"
/></fmt:param>
<fmt:param value="mailto" />
- <fmt:param value="${comment.remoteHost}"
/>
+ <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
</fmt:message>
</c:when>
<c:when test="${!empty comment.name}">
<fmt:message
key="commentManagement.commentByName" >
- <fmt:param value="${comment.name}" />
- <fmt:param value="${comment.remoteHost}"
/>
+ <fmt:param><c:out value="${comment.name}"
/></fmt:param>
+ <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
</fmt:message>
</c:when>
<c:when test="${!empty comment.email}">
<fmt:message
key="commentManagement.commentByName" >
- <fmt:param value="${comment.email}" />
- <fmt:param value="${comment.remoteHost}"
/>
+ <fmt:param><c:out value="${comment.name}"
/></fmt:param>
+ <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
</fmt:message>
</c:when>
<c:otherwise>
<fmt:message
key="commentManagement.commentByIP" >
- <fmt:param value="${comment.remoteHost}"
/>
+ <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
</fmt:message>
</c:otherwise>
</c:choose>
Modified: incubator/roller/branches/roller_3.0/CHANGES.txt
URL:
http://svn.apache.org/viewvc/incubator/roller/branches/roller_3.0/CHANGES.txt?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
--- incubator/roller/branches/roller_3.0/CHANGES.txt (original)
+++ incubator/roller/branches/roller_3.0/CHANGES.txt Mon Mar 19 12:25:59 2007
@@ -2,6 +2,22 @@
ROLLER CHANGE LOG
-----------------
+Roller 3.0.1: minor release to fix comment form XSS security risk
+
+Allowing commenters to leave HTML in comments is a potential security risk
+because it allows commenters can add malicious Javascipt code. You can
+disable HTML in comments via the Roller admin interface, but in Roller 2.3 and
+earlier versions of Roller, attackers could still add malicious HTML to the
+name, email and URL fields.
+
+We fixed the problem in Roller 2.3.1 and all subsequent versions of
+Roller by stripping all HTML from name, email and comment fields at
+comment post time. Also, we do HTML escaping whenever we display the
+suspect fields.
+
+
+-------------------------------------------------------------------------------
+
Roller 3.0: major release with new URL structure and new template syste
Please refer to the What's New page for an overview of the changes:
Modified:
incubator/roller/branches/roller_3.0/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
URL:
http://svn.apache.org/viewvc/incubator/roller/branches/roller_3.0/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
---
incubator/roller/branches/roller_3.0/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
(original)
+++
incubator/roller/branches/roller_3.0/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
Mon Mar 19 12:25:59 2007
@@ -27,6 +27,7 @@
import org.apache.roller.model.RollerFactory;
import org.apache.roller.model.WeblogManager;
import org.apache.roller.pojos.WeblogEntryData;
+import org.apache.roller.util.Utilities;
/**
@@ -121,15 +122,15 @@
* notify - if commenter wants to receive notifications
*/
if(request.getParameter("name") != null) {
- this.name = request.getParameter("name");
+ this.name = Utilities.removeHTML(request.getParameter("name"));
}
if(request.getParameter("email") != null) {
- this.email = request.getParameter("email");
+ this.email = Utilities.removeHTML(request.getParameter("email"));
}
if(request.getParameter("url") != null) {
- this.url = request.getParameter("url");
+ this.url = Utilities.removeHTML(request.getParameter("url"));
}
if(request.getParameter("content") != null) {
Modified:
incubator/roller/branches/roller_3.0/web/WEB-INF/jsps/authoring/CommentManagement.jsp
URL:
http://svn.apache.org/viewvc/incubator/roller/branches/roller_3.0/web/WEB-INF/jsps/authoring/CommentManagement.jsp?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
---
incubator/roller/branches/roller_3.0/web/WEB-INF/jsps/authoring/CommentManagement.jsp
(original)
+++
incubator/roller/branches/roller_3.0/web/WEB-INF/jsps/authoring/CommentManagement.jsp
Mon Mar 19 12:25:59 2007
@@ -308,27 +308,27 @@
<c:choose>
<c:when test="${!empty comment.email && !empty
comment.name}">
<fmt:message
key="commentManagement.commentByBoth" >
- <fmt:param value="${comment.name}" />
- <fmt:param value="${comment.email}" />
+ <fmt:param><c:out value="${comment.name}"
/></fmt:param>
+ <fmt:param><c:out value="${comment.email}"
/></fmt:param>
<fmt:param value="mailto" />
- <fmt:param value="${comment.remoteHost}"
/>
+ <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
</fmt:message>
</c:when>
<c:when test="${!empty comment.name}">
<fmt:message
key="commentManagement.commentByName" >
- <fmt:param value="${comment.name}" />
- <fmt:param value="${comment.remoteHost}"
/>
+ <fmt:param><c:out value="${comment.name}"
/></fmt:param>
+ <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
</fmt:message>
</c:when>
<c:when test="${!empty comment.email}">
<fmt:message
key="commentManagement.commentByName" >
- <fmt:param value="${comment.email}" />
- <fmt:param value="${comment.remoteHost}"
/>
+ <fmt:param><c:out value="${comment.name}"
/></fmt:param>
+ <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
</fmt:message>
</c:when>
<c:otherwise>
<fmt:message
key="commentManagement.commentByIP" >
- <fmt:param value="${comment.remoteHost}"
/>
+ <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
</fmt:message>
</c:otherwise>
</c:choose>
Modified: incubator/roller/branches/roller_3.0/web/WEB-INF/velocity/weblog.vm
URL:
http://svn.apache.org/viewvc/incubator/roller/branches/roller_3.0/web/WEB-INF/velocity/weblog.vm?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
--- incubator/roller/branches/roller_3.0/web/WEB-INF/velocity/weblog.vm
(original)
+++ incubator/roller/branches/roller_3.0/web/WEB-INF/velocity/weblog.vm Mon Mar
19 12:25:59 2007
@@ -160,11 +160,10 @@
<br/>
#foreach( $comment in $comments )
#if($comment.approved || $model.commentForm.preview)
- #set($content = $utils.encodeEmail($comment.content))
#if($config.commentEscapeHtml)
- #set($content = $utils.escapeHTML($content))
+ #set($content = $utils.escapeHTML($comment.content))
#else
- #set($content = $utils.transformToHTMLSubset($utils.escapeHTML($content)))
+ #set($content =
$utils.transformToHTMLSubset($utils.escapeHTML($comment.content)))
#end
#if($config.commentAutoFormat)
#set($content = $utils.autoformat($content))
@@ -177,11 +176,11 @@
<p class="comment-details">
$text.get("macro.weblog.postedby")
#if (!$utils.isEmpty($comment.name) &&
!$utils.isEmpty($comment.url))
- <a rel="nofollow"
href="$comment.url"><b>$comment.name</b></a>
+ <a rel="nofollow"
href="$comment.url"><b>$utils.escapeHTML($comment.name)</b></a>
#elseif (!$utils.isEmpty($comment.name))
- <b>$comment.name</b>
+ <b>$utils.escapeHTML($comment.name)</b>
#else
- <b>$comment.remoteHost</b>
+ <b>$utils.escapeHTML($comment.remoteHost)</b>
#end
$text.get("macro.weblog.on") $utils.formatDate($comment.postTime, $text.get( "macro.weblog.datepattern" ))
@@ -222,16 +221,16 @@
<ul>
<li>
<label class="desc">$text.get( "macro.weblog.name" )</label>
- <input type="text" name="name" class="text large" value="$cform.name"
size="50" maxlength="255" />
+ <input type="text" name="name" class="text large"
value="$utilities.escapeHTML($cform.name)" size="50" maxlength="255" />
</li>
<li><label class="desc">$text.get( "macro.weblog.email" )</label>
- <input type="text" name="email" class="text large" value="$cform.email"
size="50" maxlength="255" />
+ <input type="text" name="email" class="text large"
value="$utilities.escapeHTML($cform.email)" size="50" maxlength="255" />
</li>
<li><label class="desc">$text.get( "macro.weblog.url" )</label>
- <input type="text" name="url" class="text large" value="$cform.url"
size="50" maxlength="255" />
+ <input type="text" name="url" class="text large"
value="$utilities.escapeHTML($cform.url)" size="50" maxlength="255" />
</li>
#if ($config.commentEmailNotify)
@@ -245,7 +244,12 @@
</li>
<li>
<label class="desc">$text.get( "macro.weblog.yourcomment"
)</label>
- <textarea name="content" class="textarea large" cols=""
rows="">$cform.content</textarea>
+ #if($config.commentEscapeHtml)
+ #set($content = $utils.escapeHTML($cform.content))
+ #else
+ #set($content = $utils.transformToHTMLSubset($utils.escapeHTML($cform.content)))
+ #end
+ <textarea name="content" class="textarea large" cols=""
rows="">$!content</textarea>
</li>
<li class="info">
<span class="comments-syntax-indicator">
Modified:
incubator/roller/branches/roller_3.1/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
URL:
http://svn.apache.org/viewvc/incubator/roller/branches/roller_3.1/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
---
incubator/roller/branches/roller_3.1/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
(original)
+++
incubator/roller/branches/roller_3.1/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
Mon Mar 19 12:25:59 2007
@@ -27,6 +27,7 @@
import org.apache.roller.business.RollerFactory;
import org.apache.roller.business.WeblogManager;
import org.apache.roller.pojos.WeblogEntryData;
+import org.apache.roller.util.Utilities;
/**
@@ -121,15 +122,15 @@
* notify - if commenter wants to receive notifications
*/
if(request.getParameter("name") != null) {
- this.name = request.getParameter("name");
+ this.name = Utilities.removeHTML(request.getParameter("name"));
}
if(request.getParameter("email") != null) {
- this.email = request.getParameter("email");
+ this.email = Utilities.removeHTML(request.getParameter("email"));
}
if(request.getParameter("url") != null) {
- this.url = request.getParameter("url");
+ this.url = Utilities.removeHTML(request.getParameter("url"));
}
if(request.getParameter("content") != null) {
Modified:
incubator/roller/branches/roller_3.1/web/WEB-INF/jsps/authoring/CommentManagement.jsp
URL:
http://svn.apache.org/viewvc/incubator/roller/branches/roller_3.1/web/WEB-INF/jsps/authoring/CommentManagement.jsp?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
---
incubator/roller/branches/roller_3.1/web/WEB-INF/jsps/authoring/CommentManagement.jsp
(original)
+++
incubator/roller/branches/roller_3.1/web/WEB-INF/jsps/authoring/CommentManagement.jsp
Mon Mar 19 12:25:59 2007
@@ -329,27 +329,27 @@
<c:choose>
<c:when test="${!empty comment.email && !empty
comment.name}">
<fmt:message
key="commentManagement.commentByBoth" >
- <fmt:param value="${comment.name}" />
- <fmt:param value="${comment.email}" />
+ <fmt:param><c:out value="${comment.name}"
/></fmt:param>
+ <fmt:param><c:out value="${comment.email}"
/></fmt:param>
<fmt:param value="mailto" />
- <fmt:param value="${comment.remoteHost}"
/>
+ <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
</fmt:message>
</c:when>
<c:when test="${!empty comment.name}">
<fmt:message
key="commentManagement.commentByName" >
- <fmt:param value="${comment.name}" />
- <fmt:param value="${comment.remoteHost}"
/>
+ <fmt:param><c:out value="${comment.name}"
/></fmt:param>
+ <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
</fmt:message>
</c:when>
<c:when test="${!empty comment.email}">
<fmt:message
key="commentManagement.commentByName" >
- <fmt:param value="${comment.email}" />
- <fmt:param value="${comment.remoteHost}"
/>
+ <fmt:param><c:out value="${comment.name}"
/></fmt:param>
+ <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
</fmt:message>
</c:when>
<c:otherwise>
<fmt:message
key="commentManagement.commentByIP" >
- <fmt:param value="${comment.remoteHost}"
/>
+ <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
</fmt:message>
</c:otherwise>
</c:choose>
Modified: incubator/roller/branches/roller_3.1/web/WEB-INF/velocity/weblog.vm
URL:
http://svn.apache.org/viewvc/incubator/roller/branches/roller_3.1/web/WEB-INF/velocity/weblog.vm?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
--- incubator/roller/branches/roller_3.1/web/WEB-INF/velocity/weblog.vm
(original)
+++ incubator/roller/branches/roller_3.1/web/WEB-INF/velocity/weblog.vm Mon Mar
19 12:25:59 2007
@@ -160,11 +160,10 @@
<br/>
#foreach( $comment in $comments )
#if($comment.approved || $model.commentForm.preview)
- #set($content = $utils.encodeEmail($comment.content))
#if($config.commentEscapeHtml)
- #set($content = $utils.escapeHTML($content))
+ #set($content = $utils.escapeHTML($comment.content))
#else
- #set($content = $utils.transformToHTMLSubset($utils.escapeHTML($content)))
+ #set($content =
$utils.transformToHTMLSubset($utils.escapeHTML($comment.content)))
#end
#if($config.commentAutoFormat)
#set($content = $utils.autoformat($content))
@@ -177,11 +176,11 @@
<p class="comment-details">
$text.get("macro.weblog.postedby")
#if (!$utils.isEmpty($comment.name) &&
!$utils.isEmpty($comment.url))
- <a rel="nofollow"
href="$comment.url"><b>$comment.name</b></a>
+ <a rel="nofollow"
href="$comment.url"><b>$utils.escapeHTML($comment.name)</b></a>
#elseif (!$utils.isEmpty($comment.name))
- <b>$comment.name</b>
+ <b>$utils.escapeHTML($comment.name)</b>
#elseif ($comment.remoteHost)
- <b>$comment.remoteHost</b>
+ <b>$utils.escapeHTML($comment.remoteHost)</b>
#else
<b>$text.get("macro.weblog.comment.unknown")</b>
#end
@@ -247,7 +246,12 @@
</li>
<li>
<label class="desc">$text.get( "macro.weblog.yourcomment"
)</label>
- <textarea name="content" class="textarea large" cols="40"
rows="10">$utils.escapeHTML($cform.content)</textarea>
+ #if($config.commentEscapeHtml)
+ #set($content = $utils.escapeHTML($cform.content))
+ #else
+ #set($content = $utils.transformToHTMLSubset($utils.escapeHTML($cform.content)))
+ #end
+ <textarea name="content" class="textarea large" cols=""
rows="">$content</textarea>
</li>
<li class="info">
<span class="comments-syntax-indicator">
Modified:
incubator/roller/trunk/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
URL:
http://svn.apache.org/viewvc/incubator/roller/trunk/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
---
incubator/roller/trunk/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
(original)
+++
incubator/roller/trunk/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
Mon Mar 19 12:25:59 2007
@@ -27,6 +27,7 @@
import org.apache.roller.business.RollerFactory;
import org.apache.roller.business.WeblogManager;
import org.apache.roller.pojos.WeblogEntryData;
+import org.apache.roller.util.Utilities;
/**
@@ -121,15 +122,15 @@
* notify - if commenter wants to receive notifications
*/
if(request.getParameter("name") != null) {
- this.name = request.getParameter("name");
+ this.name = Utilities.removeHTML(request.getParameter("name"));
}
if(request.getParameter("email") != null) {
- this.email = request.getParameter("email");
+ this.email = Utilities.removeHTML(request.getParameter("email"));
}
if(request.getParameter("url") != null) {
- this.url = request.getParameter("url");
+ this.url = Utilities.removeHTML(request.getParameter("url"));
}
if(request.getParameter("content") != null) {
Modified:
incubator/roller/trunk/web/WEB-INF/jsps/authoring/CommentManagement.jsp
URL:
http://svn.apache.org/viewvc/incubator/roller/trunk/web/WEB-INF/jsps/authoring/CommentManagement.jsp?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
--- incubator/roller/trunk/web/WEB-INF/jsps/authoring/CommentManagement.jsp
(original)
+++ incubator/roller/trunk/web/WEB-INF/jsps/authoring/CommentManagement.jsp Mon
Mar 19 12:25:59 2007
@@ -364,27 +364,27 @@
<c:choose>
<c:when test="${!empty comment.email && !empty
comment.name}">
<fmt:message
key="commentManagement.commentByBoth" >
- <fmt:param value="${comment.name}" />
- <fmt:param value="${comment.email}" />
+ <fmt:param><c:out value="${comment.name}"
/></fmt:param>
+ <fmt:param><c:out value="${comment.email}"
/></fmt:param>
<fmt:param value="mailto" />
- <fmt:param value="${comment.remoteHost}"
/>
+ <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
</fmt:message>
</c:when>
<c:when test="${!empty comment.name}">
<fmt:message
key="commentManagement.commentByName" >
- <fmt:param value="${comment.name}" />
- <fmt:param value="${comment.remoteHost}"
/>
+ <fmt:param><c:out value="${comment.name}"
/></fmt:param>
+ <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
</fmt:message>
</c:when>
<c:when test="${!empty comment.email}">
<fmt:message
key="commentManagement.commentByName" >
- <fmt:param value="${comment.email}" />
- <fmt:param value="${comment.remoteHost}"
/>
+ <fmt:param><c:out value="${comment.name}"
/></fmt:param>
+ <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
</fmt:message>
</c:when>
<c:otherwise>
<fmt:message
key="commentManagement.commentByIP" >
- <fmt:param value="${comment.remoteHost}"
/>
+ <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
</fmt:message>
</c:otherwise>
</c:choose>
Modified: incubator/roller/trunk/web/WEB-INF/velocity/weblog.vm
URL:
http://svn.apache.org/viewvc/incubator/roller/trunk/web/WEB-INF/velocity/weblog.vm?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
--- incubator/roller/trunk/web/WEB-INF/velocity/weblog.vm (original)
+++ incubator/roller/trunk/web/WEB-INF/velocity/weblog.vm Mon Mar 19 12:25:59
2007
@@ -179,11 +179,10 @@
<br/>
#foreach( $comment in $comments )
#if($comment.approved || $model.commentForm.preview)
- #set($content = $utils.encodeEmail($comment.content))
#if($config.commentEscapeHtml)
- #set($content = $utils.escapeHTML($content))
+ #set($content = $utils.escapeHTML($comment.content))
#else
- #set($content = $utils.transformToHTMLSubset($utils.escapeHTML($content)))
+ #set($content =
$utils.transformToHTMLSubset($utils.escapeHTML($comment.content)))
#end
#if($config.commentAutoFormat)
#set($content = $utils.autoformat($content))
@@ -197,11 +196,11 @@
<p class="comment-details">
$text.get("macro.weblog.postedby")
#if (!$utils.isEmpty($comment.name) &&
!$utils.isEmpty($comment.url))
- <a rel="nofollow"
href="$comment.url"><b>$comment.name</b></a>
+ <a rel="nofollow"
href="$comment.url"><b>$utils.escapeHTML($comment.name)</b></a>
#elseif (!$utils.isEmpty($comment.name))
- <b>$comment.name</b>
+ <b>$utils.escapeHTML($comment.name)</b>
#elseif ($comment.remoteHost)
- <b>$comment.remoteHost</b>
+ <b>$utils.escapeHTML($comment.remoteHost)</b>
#else
<b>$text.get("macro.weblog.comment.unknown")</b>
#end
@@ -245,16 +244,15 @@
<ul>
<li>
<label class="desc">$text.get( "macro.weblog.name" )</label>
- <input type="text" name="name" class="text large" value="$cform.name"
size="50" maxlength="255" />
+ <input type="text" name="name" class="text large"
value="$utils.escapeHTML($cform.name)" size="50" maxlength="255" />
</li>
-
<li><label class="desc">$text.get( "macro.weblog.email" )</label>
- <input type="text" name="email" class="text large" value="$cform.email"
size="50" maxlength="255" />
+ <input type="text" name="email" class="text large"
value="$utils.escapeHTML($cform.email)" size="50" maxlength="255" />
</li>
<li><label class="desc">$text.get( "macro.weblog.url" )</label>
- <input type="text" name="url" class="text large" value="$cform.url"
size="50" maxlength="255" />
+ <input type="text" name="url" class="text large"
value="$utils.escapeHTML($cform.url)" size="50" maxlength="255" />
</li>
#if ($config.commentEmailNotify)
@@ -268,7 +266,14 @@
</li>
<li>
<label class="desc">$text.get( "macro.weblog.yourcomment"
)</label>
- <textarea name="content" class="textarea large" cols="40"
rows="10">$utils.escapeHTML($cform.content)</textarea>
+
+ #if($config.commentEscapeHtml)
+ #set($content = $utils.escapeHTML($cform.content))
+ #else
+ #set($content = $utils.transformToHTMLSubset($utils.escapeHTML($cform.content)))
+ #end
+ <textarea name="content" class="textarea large" cols="40" rows="10">$utils.escapeHTML($content)</textarea>
+
</li>
<li class="info">
<span class="comments-syntax-indicator">
