commit 654217676bf16b953e476c6fc0ba2bd54917424e Author: Karsten Loesing karsten.loesing@gmx.net Date: Tue Mar 22 17:19:00 2011 +0100
Escape parameter values in HTML output.
Problem in exonerator.html spotted by Alexander Zenkov. Thanks! --- .../torproject/ernie/web/DescriptorServlet.java | 3 +- .../torproject/ernie/web/ExoneraTorServlet.java | 23 +++++++++++++------- src/org/torproject/ernie/web/RelayServlet.java | 3 +- 3 files changed, 19 insertions(+), 10 deletions(-)
diff --git a/src/org/torproject/ernie/web/DescriptorServlet.java b/src/org/torproject/ernie/web/DescriptorServlet.java index 0ea8ea2..9e84baf 100644 --- a/src/org/torproject/ernie/web/DescriptorServlet.java +++ b/src/org/torproject/ernie/web/DescriptorServlet.java @@ -137,7 +137,8 @@ public class DescriptorServlet extends HttpServlet { } } if (descId == null) { - out.write(" <br/><p>Sorry, "" + descIdParameter + "" is not a " + out.write(" <br/><p>Sorry, "" + + StringEscapeUtils.escapeHtml(descIdParameter) + "" is not a " + "valid descriptor identifier. Please provide at least the " + "first 8 hex characters of a descriptor identifier.</p>\n"); writeFooter(out); diff --git a/src/org/torproject/ernie/web/ExoneraTorServlet.java b/src/org/torproject/ernie/web/ExoneraTorServlet.java index 35e292d..e501129 100644 --- a/src/org/torproject/ernie/web/ExoneraTorServlet.java +++ b/src/org/torproject/ernie/web/ExoneraTorServlet.java @@ -14,6 +14,7 @@ import javax.servlet.http.*; import javax.sql.*;
import org.apache.commons.codec.binary.*; +import org.apache.commons.lang.*;
public class ExoneraTorServlet extends HttpServlet {
@@ -184,8 +185,9 @@ public class ExoneraTorServlet extends HttpServlet { + Integer.parseInt(ipParts[3]); } else { ipWarning = """ + (ipParameter.length() > 20 ? - ipParameter.substring(0, 20) + "[...]" : - ipParameter) + "" is not a valid IP address."; + StringEscapeUtils.escapeHtml(ipParameter.substring(0, 20)) + + "[...]" : StringEscapeUtils.escapeHtml(ipParameter)) + + "" is not a valid IP address."; } }
@@ -210,8 +212,10 @@ public class ExoneraTorServlet extends HttpServlet { /* We have no way to handle this exception, other than leaving timestampStr at "". */ timestampWarning = """ + (timestampParameter.length() > 20 ? - timestampParameter.substring(0, 20) + "[...]" : - timestampParameter) + "" is not a valid timestamp."; + StringEscapeUtils.escapeHtml(timestampParameter. + substring(0, 20)) + "[...]" : + StringEscapeUtils.escapeHtml(timestampParameter)) + + "" is not a valid timestamp."; } }
@@ -244,8 +248,9 @@ public class ExoneraTorServlet extends HttpServlet { targetIPParts = targetIP.split("\."); } else { targetAddrWarning = """ + (targetAddrParameter.length() > 20 ? - timestampParameter.substring(0, 20) + "[...]" : - timestampParameter) + "" is not a valid IP address."; + StringEscapeUtils.escapeHtml(targetAddrParameter.substring( + 0, 20)) + "[...]" : StringEscapeUtils.escapeHtml( + targetAddrParameter)) + "" is not a valid IP address."; } }
@@ -266,8 +271,10 @@ public class ExoneraTorServlet extends HttpServlet { } } else { targetPortWarning = """ + (targetPortParameter.length() > 8 ? - targetPortParameter.substring(0, 8) + "[...]" : - targetPortParameter) + "" is not a valid TCP port."; + StringEscapeUtils.escapeHtml(targetPortParameter. + substring(0, 8)) + "[...]" : + StringEscapeUtils.escapeHtml(targetPortParameter)) + + "" is not a valid TCP port."; } }
diff --git a/src/org/torproject/ernie/web/RelayServlet.java b/src/org/torproject/ernie/web/RelayServlet.java index 88331aa..48da03b 100644 --- a/src/org/torproject/ernie/web/RelayServlet.java +++ b/src/org/torproject/ernie/web/RelayServlet.java @@ -146,7 +146,8 @@ public class RelayServlet extends HttpServlet { } } if (!validParameter) { - out.write(" <br/><p>Sorry, "" + fingerprintParameter + out.write(" <br/><p>Sorry, "" + + StringEscapeUtils.escapeHtml(fingerprintParameter) + "" is not a valid relay fingerprint. Please provide at " + "least the first 8 hex characters of a relay " + "fingerprint.</p>\n");