https://issues.apache.org/jira/browse/AMQ-4471 - Fixing bug where stomp ws example allows remote JS execution.
Project: http://git-wip-us.apache.org/repos/asf/activemq/repo Commit: http://git-wip-us.apache.org/repos/asf/activemq/commit/8a5c0528 Tree: http://git-wip-us.apache.org/repos/asf/activemq/tree/8a5c0528 Diff: http://git-wip-us.apache.org/repos/asf/activemq/diff/8a5c0528 Branch: refs/heads/activemq-5.9 Commit: 8a5c0528f8bcd1abca9fbecaad6b1fd1a94d0a45 Parents: 28e6e6f Author: Hiram Chirino <[email protected]> Authored: Wed Oct 30 13:19:26 2013 -0400 Committer: Hadrian Zbarcea <[email protected]> Committed: Tue Mar 11 21:04:05 2014 -0400 ---------------------------------------------------------------------- assembly/src/release/examples/stomp/websocket/index.html | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/activemq/blob/8a5c0528/assembly/src/release/examples/stomp/websocket/index.html ---------------------------------------------------------------------- diff --git a/assembly/src/release/examples/stomp/websocket/index.html b/assembly/src/release/examples/stomp/websocket/index.html index 12b5b23..26b02df 100644 --- a/assembly/src/release/examples/stomp/websocket/index.html +++ b/assembly/src/release/examples/stomp/websocket/index.html @@ -101,7 +101,7 @@ // this allows to display debug logs directly on the web page client.debug = function(str) { - $("#debug").append(str + "\n"); + $("#debug").append(document.createTextNode(str + "\n")); }; // the client is notified when it is connected to the server. @@ -110,7 +110,9 @@ $('#connect').fadeOut({ duration: 'fast' }); $('#connected').fadeIn(); client.subscribe(destination, function(message) { - $("#messages").append("<p>" + message.body + "</p>\n"); + var p = document.createElement("p"); + p.appendChild(document.createTextNode(message.body)); + $("#messages").append(p); }); }); return false;
