Revision: 43560
Author: aschrijvers
Date: 2014-02-25 11:37:29 +0100 (Tue, 25 Feb 2014)
Log Message:
-----------
:HSTTWO-2855 forward port: XSS vulnerability in LoginServlet
Modified Paths:
--------------
hippo-cms7/site-toolkit/trunk/components/security/src/main/java/org/hippoecm/hst/security/servlet/LoginServlet.java
Modified:
hippo-cms7/site-toolkit/trunk/components/security/src/main/java/org/hippoecm/hst/security/servlet/LoginServlet.java
===================================================================
---
hippo-cms7/site-toolkit/trunk/components/security/src/main/java/org/hippoecm/hst/security/servlet/LoginServlet.java
2014-02-25 10:23:44 UTC (rev 43559)
+++
hippo-cms7/site-toolkit/trunk/components/security/src/main/java/org/hippoecm/hst/security/servlet/LoginServlet.java
2014-02-25 10:37:29 UTC (rev 43560)
@@ -17,6 +17,7 @@
import java.io.IOException;
import java.io.PrintWriter;
+import java.net.URLEncoder;
import java.security.Principal;
import java.util.HashMap;
import java.util.Locale;
@@ -424,7 +425,7 @@
Map<String, Object> params = new HashMap<String, Object>();
params.put("j_username", username);
- params.put("destination", response.encodeURL(destination));
+ params.put("destination",
URLEncoder.encode(response.encodeURL(destination), "UTF-8"));
renderTemplatePage(request, response, "login_form.ftl", params);
}
@@ -462,7 +463,7 @@
Map<String, Object> params = new HashMap<String, Object>();
params.put("j_username", username);
- params.put("destination", response.encodeURL(destination));
+ params.put("destination",
URLEncoder.encode(response.encodeURL(destination), "UTF-8"));
renderTemplatePage(request, response, "login_failure.ftl", params);
}
_______________________________________________
Hippocms-svn mailing list
[email protected]
https://lists.onehippo.org/mailman/listinfo/hippocms-svn
