cvs commit: xml-axis/java/src/org/apache/axis/transport/http AxisServlet.java

Wed, 15 Jan 2003 15:31:55 -0800 

stevel      2003/01/15 15:31:51

  Modified:    java/src/org/apache/axis/transport/http AxisServlet.java
  Log:
  bug 16147; faults are only written to HTML in one place, and we use the new 
AxisFault.dumpFault(boolean) method to escape them; same for the localised mesage.
  
  Revision  Changes    Path
  1.155     +17 -5     
xml-axis/java/src/org/apache/axis/transport/http/AxisServlet.java
  
  Index: AxisServlet.java
  ===================================================================
  RCS file: 
/home/cvs/xml-axis/java/src/org/apache/axis/transport/http/AxisServlet.java,v
  retrieving revision 1.154
  retrieving revision 1.155
  diff -u -r1.154 -r1.155
  --- AxisServlet.java  10 Jan 2003 06:56:31 -0000      1.154
  +++ AxisServlet.java  15 Jan 2003 23:31:51 -0000      1.155
  @@ -365,8 +365,7 @@
           if(exception instanceof AxisFault) {
               AxisFault fault=(AxisFault)exception;
               processAxisFault(fault);
  -            writer.println("<pre>Fault - " + fault.toString() + " </pre>");
  -            writer.println("<pre>" + fault.dumpToString() + " </pre>");
  +            writeFault(writer, fault);
           } else {
               logException(exception);
               writer.println("<pre>Exception - " + exception + "<br>");
  @@ -403,6 +402,20 @@
       protected void logException(Exception e) {
           exceptionLog.info(Messages.getMessage("exception00"), e);
       }
  +
  +    /**
  +     * this method writes a fault out to an HTML stream. This includes
  +     * escaping the strings to defend against cross-site scripting attacks
  +     * @param writer
  +     * @param axisFault
  +     */
  +    private void writeFault(PrintWriter writer, AxisFault axisFault) {
  +        String localizedMessage = 
XMLUtils.xmlEncodeString(axisFault.getLocalizedMessage());
  +        writer.println("<pre>Fault - " + localizedMessage + "<br>");
  +        writer.println(axisFault.dumpToString(true));
  +        writer.println("</pre>");
  +    }
  +    
       /**
        * scan through the request for parameters, invoking the endpoint
        * if we get a method param. If there was no method param then the
  @@ -634,11 +647,10 @@
   
           if(axisFault!=null && isDevelopment()) {
               //dev systems only give fault dumps
  -            writer.println("<pre>Exception - " + axisFault.getLocalizedMessage()+ 
"<br>");
  -            writer.println(axisFault.dumpToString());
  -            writer.println("</pre>");
  +            writeFault(writer, axisFault);
           }
       }
  +
   
       /**
        * This method lists the available services; it is called when there is

Reply via email to