commit 654217676bf16b953e476c6fc0ba2bd54917424e Author: Karsten Loesing <karsten.loesing@gmx.net> Date: Tue Mar 22 17:19:00 2011 +0100 Escape parameter values in HTML output. Problem in exonerator.html spotted by Alexander Zenkov. Thanks! --- .../torproject/ernie/web/DescriptorServlet.java | 3 +- .../torproject/ernie/web/ExoneraTorServlet.java | 23 +++++++++++++------- src/org/torproject/ernie/web/RelayServlet.java | 3 +- 3 files changed, 19 insertions(+), 10 deletions(-) diff --git a/src/org/torproject/ernie/web/DescriptorServlet.java b/src/org/torproject/ernie/web/DescriptorServlet.java index 0ea8ea2..9e84baf 100644 --- a/src/org/torproject/ernie/web/DescriptorServlet.java +++ b/src/org/torproject/ernie/web/DescriptorServlet.java @@ -137,7 +137,8 @@ public class DescriptorServlet extends HttpServlet { } } if (descId == null) { - out.write(" <br/><p>Sorry, \"" + descIdParameter + "\" is not a " + out.write(" <br/><p>Sorry, \"" + + StringEscapeUtils.escapeHtml(descIdParameter) + "\" is not a " + "valid descriptor identifier. Please provide at least the " + "first 8 hex characters of a descriptor identifier.</p>\n"); writeFooter(out); diff --git a/src/org/torproject/ernie/web/ExoneraTorServlet.java b/src/org/torproject/ernie/web/ExoneraTorServlet.java index 35e292d..e501129 100644 --- a/src/org/torproject/ernie/web/ExoneraTorServlet.java +++ b/src/org/torproject/ernie/web/ExoneraTorServlet.java @@ -14,6 +14,7 @@ import javax.servlet.http.*; import javax.sql.*; import org.apache.commons.codec.binary.*; +import org.apache.commons.lang.*; public class ExoneraTorServlet extends HttpServlet { @@ -184,8 +185,9 @@ public class ExoneraTorServlet extends HttpServlet { + Integer.parseInt(ipParts[3]); } else { ipWarning = "\"" + (ipParameter.length() > 20 ? - ipParameter.substring(0, 20) + "[...]" : - ipParameter) + "\" is not a valid IP address."; + StringEscapeUtils.escapeHtml(ipParameter.substring(0, 20)) + + "[...]" : StringEscapeUtils.escapeHtml(ipParameter)) + + "\" is not a valid IP address."; } } @@ -210,8 +212,10 @@ public class ExoneraTorServlet extends HttpServlet { /* We have no way to handle this exception, other than leaving timestampStr at "". */ timestampWarning = "\"" + (timestampParameter.length() > 20 ? - timestampParameter.substring(0, 20) + "[...]" : - timestampParameter) + "\" is not a valid timestamp."; + StringEscapeUtils.escapeHtml(timestampParameter. + substring(0, 20)) + "[...]" : + StringEscapeUtils.escapeHtml(timestampParameter)) + + "\" is not a valid timestamp."; } } @@ -244,8 +248,9 @@ public class ExoneraTorServlet extends HttpServlet { targetIPParts = targetIP.split("\\."); } else { targetAddrWarning = "\"" + (targetAddrParameter.length() > 20 ? - timestampParameter.substring(0, 20) + "[...]" : - timestampParameter) + "\" is not a valid IP address."; + StringEscapeUtils.escapeHtml(targetAddrParameter.substring( + 0, 20)) + "[...]" : StringEscapeUtils.escapeHtml( + targetAddrParameter)) + "\" is not a valid IP address."; } } @@ -266,8 +271,10 @@ public class ExoneraTorServlet extends HttpServlet { } } else { targetPortWarning = "\"" + (targetPortParameter.length() > 8 ? - targetPortParameter.substring(0, 8) + "[...]" : - targetPortParameter) + "\" is not a valid TCP port."; + StringEscapeUtils.escapeHtml(targetPortParameter. + substring(0, 8)) + "[...]" : + StringEscapeUtils.escapeHtml(targetPortParameter)) + + "\" is not a valid TCP port."; } } diff --git a/src/org/torproject/ernie/web/RelayServlet.java b/src/org/torproject/ernie/web/RelayServlet.java index 88331aa..48da03b 100644 --- a/src/org/torproject/ernie/web/RelayServlet.java +++ b/src/org/torproject/ernie/web/RelayServlet.java @@ -146,7 +146,8 @@ public class RelayServlet extends HttpServlet { } } if (!validParameter) { - out.write(" <br/><p>Sorry, \"" + fingerprintParameter + out.write(" <br/><p>Sorry, \"" + + StringEscapeUtils.escapeHtml(fingerprintParameter) + "\" is not a valid relay fingerprint. Please provide at " + "least the first 8 hex characters of a relay " + "fingerprint.</p>\n");