dnaber 2004/10/16 09:21:58
Modified: src/jsp results.jsp
Log:
security: the error message was not escaped, this could enable cross site scripting
Revision Changes Path
1.4 +12 -2 jakarta-lucene/src/jsp/results.jsp
Index: results.jsp
===================================================================
RCS file: /home/cvs/jakarta-lucene/src/jsp/results.jsp,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- results.jsp 12 Oct 2004 22:14:26 -0000 1.3
+++ results.jsp 16 Oct 2004 16:21:58 -0000 1.4
@@ -15,6 +15,16 @@
*/
%>
+<%!
+public String escapeHTML(String s) {
+ s = s.replaceAll("&", "&");
+ s = s.replaceAll("<", "<");
+ s = s.replaceAll(">", ">");
+ s = s.replaceAll("\"", """);
+ s = s.replaceAll("'", "'");
+ return s;
+}
+%>
<[EMAIL PROTECTED] file="header.jsp"%>
<%
boolean error = false; //used to control flow for error
messages
@@ -40,7 +50,7 @@
//or otherwise corrupt index
%>
<p>ERROR opening the Index - contact sysadmin!</p>
- <p>While parsing query: <%=e.getMessage()%></p>
+ <p>Error message: <%=escapeHTML(e.getMessage())%></p>
<% error = true; //don't do
anything up to the footer
}
%>
@@ -72,7 +82,7 @@
//send them a
nice error HTML
%>
- <p>Error while parsing query: <%=e.getMessage()%></p>
+ <p>Error while parsing query:
<%=escapeHTML(e.getMessage())%></p>
<%
error = true; //don't
bother with the rest of
//the page
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
