Author: markt Date: Tue Jan 17 13:52:02 2006 New Revision: 369933 URL: http://svn.apache.org/viewcvs?rev=369933&view=rev Log: Fix XSS issues in examples.
Modified: tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/cal/cal2.jsp tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/security/protected/index.jsp Modified: tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/cal/cal2.jsp URL: http://svn.apache.org/viewcvs/tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/cal/cal2.jsp?rev=369933&r1=369932&r2=369933&view=diff ============================================================================== --- tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/cal/cal2.jsp (original) +++ tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/cal/cal2.jsp Tue Jan 17 13:52:02 2006 @@ -29,12 +29,12 @@ <FONT SIZE=5> Please add the following event: <BR> <h3> Date <%= table.getDate() %> -<BR> Time <%= time %> </h3> +<BR> Time <%= util.HTMLFilter.filter(time) %> </h3> </FONT> <FORM METHOD=POST ACTION=cal1.jsp> <BR> <BR> <INPUT NAME="date" TYPE=HIDDEN VALUE="current"> -<BR> <INPUT NAME="time" TYPE=HIDDEN VALUE=<%= time %> +<BR> <INPUT NAME="time" TYPE=HIDDEN VALUE=<%= util.HTMLFilter.filter(time) %> <BR> <h2> Description of the event <INPUT NAME="description" TYPE=TEXT SIZE=20> </h2> <BR> <INPUT TYPE=SUBMIT VALUE="submit"> </FORM> Modified: tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/security/protected/index.jsp URL: http://svn.apache.org/viewcvs/tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/security/protected/index.jsp?rev=369933&r1=369932&r2=369933&view=diff ============================================================================== --- tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/security/protected/index.jsp (original) +++ tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/security/protected/index.jsp Tue Jan 17 13:52:02 2006 @@ -49,11 +49,13 @@ if (role.length() > 0) { if (request.isUserInRole(role)) { %> - You have been granted role <b><%= role %></b><br><br> + You have been granted role + <b><%= util.HTMLFilter.filter(role) %></b><br><br> <% } else { %> - You have <i>not</i> been granted role <b><%= role %></b><br><br> + You have <i>not</i> been granted role + <b><%= util.HTMLFilter.filter(role) %></b><br><br> <% } } @@ -62,7 +64,7 @@ To check whether your username has been granted a particular role, enter it here: <form method="GET" action='<%= response.encodeURL("index.jsp") %>'> -<input type="text" name="role" value="<%= role %>"> +<input type="text" name="role" value="<%= util.HTMLFilter.filter(role) %>"> </form> <br><br> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]