svn commit: r1504776 - /sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java

[cziegeler]

Author: cziegeler
Date: Fri Jul 19 06:47:54 2013
New Revision: 1504776

URL: http://svn.apache.org/r1504776
Log:
SLING-2974 : XSS vulnerability in AbstractAuthenticationFormServlet

Modified:
    
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java

Modified: 
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java
URL: 
http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java?rev=1504776&r1=1504775&r2=1504776&view=diff
==============================================================================
--- 
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java
 (original)
+++ 
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java
 Fri Jul 19 06:47:54 2013
@@ -130,14 +130,35 @@ public abstract class AbstractAuthentica
             throws IOException {
         String form = getRawForm();
 
-        form = form.replace("${resource}", getResource(request));
-        form = form.replace("${j_reason}", getReason(request));
-        form = form.replace("${requestContextPath}", getContextPath(request));
-        form = form.replace("${contextPath}", request.getContextPath());
+        form = form.replace("${resource}", escapeXml(getResource(request)));
+        form = form.replace("${j_reason}", escapeXml(getReason(request)));
+        form = form.replace("${requestContextPath}", 
escapeXml(getContextPath(request)));
+        form = form.replace("${contextPath}", 
escapeXml(request.getContextPath()));
 
         return form;
     }
 
+    private static String escapeXml(final String input) {
+        if (input == null) {
+            return null;
+        }
+
+        final StringBuilder b = new StringBuilder(input.length());
+        for(int i = 0;i  < input.length(); i++) {
+            final char c = input.charAt(i);
+            if(c == '&') {
+                b.append("&amp;");
+            } else if(c == '<') {
+                b.append("&lt;");
+            } else if(c == '>') {
+                b.append("&gt;");
+            } else {
+                b.append(c);
+            }
+        }
+        return b.toString();
+    }
+
     /**
      * Returns the path to the resource to which the request should be
      * redirected after successfully completing the form or an empty string if