Author: gangolli
Date: Tue Jun 17 09:45:00 2008
New Revision: 668737
URL: http://svn.apache.org/viewvc?rev=668737&view=rev
Log:
Fix for injection problem in search. HTML is removed and remaining XML escaped
before returning the term. The original raw term is still accessible using the
property "rawTerm".
Modified:
roller/trunk/apps/weblogger/src/java/org/apache/roller/weblogger/ui/rendering/model/SearchResultsModel.java
Modified:
roller/trunk/apps/weblogger/src/java/org/apache/roller/weblogger/ui/rendering/model/SearchResultsModel.java
URL:
http://svn.apache.org/viewvc/roller/trunk/apps/weblogger/src/java/org/apache/roller/weblogger/ui/rendering/model/SearchResultsModel.java?rev=668737&r1=668736&r2=668737&view=diff
==============================================================================
---
roller/trunk/apps/weblogger/src/java/org/apache/roller/weblogger/ui/rendering/model/SearchResultsModel.java
(original)
+++
roller/trunk/apps/weblogger/src/java/org/apache/roller/weblogger/ui/rendering/model/SearchResultsModel.java
Tue Jun 17 09:45:00 2008
@@ -27,6 +27,7 @@
import java.util.TreeSet;
import org.apache.commons.collections.comparators.ReverseComparator;
import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang.StringEscapeUtils;
import org.apache.lucene.document.Document;
import org.apache.lucene.search.Hits;
import org.apache.roller.weblogger.WebloggerException;
@@ -47,6 +48,7 @@
import org.apache.roller.util.DateUtil;
import org.apache.roller.weblogger.business.URLStrategy;
import org.apache.roller.weblogger.util.I18nMessages;
+import org.apache.roller.weblogger.util.Utilities;
/**
@@ -232,6 +234,11 @@
public String getTerm() {
+ String query = searchRequest.getQuery();
+ return (query == null) ? "" :
StringEscapeUtils.escapeXml(Utilities.escapeHTML(query));
+ }
+
+ public String getRawTerm() {
return (searchRequest.getQuery() == null) ? "" :
searchRequest.getQuery();
}
