Author: thecarlhall
Date: Sat Feb 25 02:05:56 2012
New Revision: 1293518
URL: http://svn.apache.org/viewvc?rev=1293518&view=rev
Log:
SLING-2427 Escape the resource metadata in HtmlRendererServlet to stop HTML
injects via URL.
Modified:
sling/trunk/bundles/servlets/get/src/main/java/org/apache/sling/servlets/get/impl/helpers/HtmlRendererServlet.java
Modified:
sling/trunk/bundles/servlets/get/src/main/java/org/apache/sling/servlets/get/impl/helpers/HtmlRendererServlet.java
URL:
http://svn.apache.org/viewvc/sling/trunk/bundles/servlets/get/src/main/java/org/apache/sling/servlets/get/impl/helpers/HtmlRendererServlet.java?rev=1293518&r1=1293517&r2=1293518&view=diff
==============================================================================
---
sling/trunk/bundles/servlets/get/src/main/java/org/apache/sling/servlets/get/impl/helpers/HtmlRendererServlet.java
(original)
+++
sling/trunk/bundles/servlets/get/src/main/java/org/apache/sling/servlets/get/impl/helpers/HtmlRendererServlet.java
Sat Feb 25 02:05:56 2012
@@ -24,6 +24,7 @@ import java.util.Map;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.lang.StringEscapeUtils;
import org.apache.sling.api.SlingConstants;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.SlingHttpServletResponse;
@@ -102,7 +103,8 @@ public class HtmlRendererServlet extends
private void printResourceInfo(PrintWriter pw, Resource r) {
pw.println("<h1>Resource dumped by " + getClass().getSimpleName() +
"</h1>");
pw.println("<p>Resource path: <b>" + r.getPath() + "</b></p>");
- pw.println("<p>Resource metadata: <b>" + r.getResourceMetadata()
+ pw.println("<p>Resource metadata: <b>"
+ +
StringEscapeUtils.escapeHtml(String.valueOf(r.getResourceMetadata()))
+ "</b></p>");
pw.println("<p>Resource type: <b>" + r.getResourceType() + "</b></p>");
