On 13/05/2012 00:56, kkoli...@apache.org wrote: > Author: kkolinko > Date: Sat May 12 23:56:13 2012 > New Revision: 1337741 > > URL: http://svn.apache.org/viewvc?rev=1337741&view=rev > Log: > Pass all string values through the filter in RequestInfoExample servlet.
Those values were not passed through the filter since it is not possible for them to have values that need filtering. For example, if method contains HTML it will never get as far as the Servlet since it is not a valid request. The same for scheme. Remote address and cipher suite are provided via APIs that always return safe values. Mark > > Modified: > tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java > > Modified: > tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java > URL: > http://svn.apache.org/viewvc/tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java?rev=1337741&r1=1337740&r2=1337741&view=diff > ============================================================================== > --- tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java > (original) > +++ tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java Sat > May 12 23:56:13 2012 > @@ -75,7 +75,7 @@ public class RequestInfoExample extends > out.println("<table border=0><tr><td>"); > out.println(RB.getString("requestinfo.label.method")); > out.println("</td><td>"); > - out.println(request.getMethod()); > + out.println(HTMLFilter.filter(request.getMethod())); > out.println("</td></tr><tr><td>"); > out.println(RB.getString("requestinfo.label.requesturi")); > out.println("</td><td>"); > @@ -83,7 +83,7 @@ public class RequestInfoExample extends > out.println("</td></tr><tr><td>"); > out.println(RB.getString("requestinfo.label.protocol")); > out.println("</td><td>"); > - out.println(request.getProtocol()); > + out.println(HTMLFilter.filter(request.getProtocol())); > out.println("</td></tr><tr><td>"); > out.println(RB.getString("requestinfo.label.pathinfo")); > out.println("</td><td>"); > @@ -91,7 +91,7 @@ public class RequestInfoExample extends > out.println("</td></tr><tr><td>"); > out.println(RB.getString("requestinfo.label.remoteaddr")); > out.println("</td><td>"); > - out.println(request.getRemoteAddr()); > + out.println(HTMLFilter.filter(request.getRemoteAddr())); > out.println("</td></tr>"); > > String cipherSuite= > @@ -100,7 +100,7 @@ public class RequestInfoExample extends > out.println("<tr><td>"); > out.println("SSLCipherSuite:"); > out.println("</td><td>"); > - out.println(cipherSuite); > + out.println(HTMLFilter.filter(cipherSuite)); > out.println("</td></tr>"); > } > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
