config_browser: ActionNamesAction.java ShowConfigAction.java

lukaszlenart Fri, 18 Oct 2013 01:10:46 -0700

Author: lukaszlenart
Date: Fri Oct 18 08:10:07 2013
New Revision: 1533354

URL: http://svn.apache.org/r1533354
Log:
WW-4213 Sanitises input param namespace to avoid XSS


Modified:
    
struts/struts2/trunk/plugins/config-browser/src/main/java/org/apache/struts2/config_browser/ActionNamesAction.java
    
struts/struts2/trunk/plugins/config-browser/src/main/java/org/apache/struts2/config_browser/ShowConfigAction.java

Modified: 
struts/struts2/trunk/plugins/config-browser/src/main/java/org/apache/struts2/config_browser/ActionNamesAction.java
URL: 
http://svn.apache.org/viewvc/struts/struts2/trunk/plugins/config-browser/src/main/java/org/apache/struts2/config_browser/ActionNamesAction.java?rev=1533354&r1=1533353&r2=1533354&view=diff
==============================================================================
--- 
struts/struts2/trunk/plugins/config-browser/src/main/java/org/apache/struts2/config_browser/ActionNamesAction.java
 (original)
+++ 
struts/struts2/trunk/plugins/config-browser/src/main/java/org/apache/struts2/config_browser/ActionNamesAction.java
 Fri Oct 18 08:10:07 2013
@@ -24,6 +24,7 @@ package org.apache.struts2.config_browse
 import com.opensymphony.xwork2.ActionSupport;
 import com.opensymphony.xwork2.config.entities.ActionConfig;
 import com.opensymphony.xwork2.inject.Inject;
+import org.apache.commons.lang3.StringEscapeUtils;
 import org.apache.struts2.StrutsConstants;
 
 import java.util.Set;
@@ -57,7 +58,7 @@ public class ActionNamesAction extends A
     }
 
     public void setNamespace(String namespace) {
-        this.namespace = namespace;
+        this.namespace = StringEscapeUtils.escapeEcmaScript(namespace);
     }
 
     @Inject(StrutsConstants.STRUTS_ACTION_EXTENSION)

Modified: 
struts/struts2/trunk/plugins/config-browser/src/main/java/org/apache/struts2/config_browser/ShowConfigAction.java
URL: 
http://svn.apache.org/viewvc/struts/struts2/trunk/plugins/config-browser/src/main/java/org/apache/struts2/config_browser/ShowConfigAction.java?rev=1533354&r1=1533353&r2=1533354&view=diff
==============================================================================
--- 
struts/struts2/trunk/plugins/config-browser/src/main/java/org/apache/struts2/config_browser/ShowConfigAction.java
 (original)
+++ 
struts/struts2/trunk/plugins/config-browser/src/main/java/org/apache/struts2/config_browser/ShowConfigAction.java
 Fri Oct 18 08:10:07 2013
@@ -27,6 +27,7 @@ import com.opensymphony.xwork2.inject.In
 import com.opensymphony.xwork2.util.logging.Logger;
 import com.opensymphony.xwork2.util.logging.LoggerFactory;
 import com.opensymphony.xwork2.util.reflection.ReflectionProvider;
+import org.apache.commons.lang3.StringEscapeUtils;
 
 import java.beans.PropertyDescriptor;
 import java.util.Set;
@@ -81,7 +82,7 @@ public class ShowConfigAction extends Ac
     }
 
     public void setNamespace(String namespace) {
-        this.namespace = namespace;
+        this.namespace = StringEscapeUtils.escapeEcmaScript(namespace);
     }
 
     public String getActionName() {

svn commit: r1533354 - in /struts/struts2/trunk/plugins/config-browser/src/main/java/org/apache/struts2/config_browser: ActionNamesAction.java ShowConfigAction.java

Reply via email to