Hi,
this fixes the missing escaping of special HTML characters. Actually the
lack of escaping is a security problem (it enables so-called cross-site
scripting). Can someone please commit this patch?
Regards
Daniel
--
http://www.danielnaber.de
Index: search.jsp
===================================================================
RCS file: /cvsroot/nutch/nutch/src/web/jsp/search.jsp,v
retrieving revision 1.22
diff -u -r1.22 search.jsp
--- search.jsp 3 Feb 2004 22:06:45 -0000 1.22
+++ search.jsp 19 May 2004 22:23:16 -0000
@@ -15,6 +15,7 @@
String queryString = request.getParameter("query");
if (queryString == null)
throw new ServletException("no query specified");
+ String htmlQueryString = net.nutch.html.Entities.encode(request.getParameter("query"));
int start = 0; // first hit to display
String startString = request.getParameter("start");
@@ -49,7 +50,7 @@
<jsp:include page="<%= language + "/include/header.html"%>"/>
<form name=search action="/search.jsp" method=get>
- <input name=query size=44 value='<%=queryString%>'>
+ <input name=query size=44 value="<%=htmlQueryString%>">
<input type=hidden name=hitsPerPage value=<%=hitsPerPage%>>
<input type=submit value="<i18n:message key="search"/>">
</form>
@@ -102,7 +103,7 @@
if (end < hits.getTotal()) { // insert next page button
%>
<form name=search action="/search.jsp" method=get>
- <input type=hidden name=query value='<%=queryString%>'>
+ <input type=hidden name=query value="<%=htmlQueryString%>">
<input type=hidden name=start value=<%=end%>>
<input type=hidden name=hitsPerPage value=<%=hitsPerPage%>>
<input type=submit value=<i18n:message key="next"/>>
