modules/enterprise/gui/portal-war/src/main/java/org/rhq/enterprise/gui/legacy/action/BaseDispatchAction.java | 8 +++++ modules/enterprise/gui/portal-war/src/main/java/org/rhq/enterprise/gui/legacy/action/resource/hub/HubForm.java | 15 +++++++++- 2 files changed, 22 insertions(+), 1 deletion(-)
New commits: commit d7f808be2e58cda3972c8ac61eb57ba181753cfa Author: Heiko W. Rupp hwr@redhat.com Date: Mon Jan 9 21:09:19 2012 +0100
BZ 771747 - escape <,",>,&,',/ to prevent html injection attacks (cherry picked from commit faa248bc6499c6dbbfb06fd7e141f01371ae1e36)
diff --git a/modules/enterprise/gui/portal-war/src/main/java/org/rhq/enterprise/gui/legacy/action/BaseDispatchAction.java b/modules/enterprise/gui/portal-war/src/main/java/org/rhq/enterprise/gui/legacy/action/BaseDispatchAction.java index eca5a91..414fdb3 100644 --- a/modules/enterprise/gui/portal-war/src/main/java/org/rhq/enterprise/gui/legacy/action/BaseDispatchAction.java +++ b/modules/enterprise/gui/portal-war/src/main/java/org/rhq/enterprise/gui/legacy/action/BaseDispatchAction.java @@ -72,6 +72,14 @@ public abstract class BaseDispatchAction extends DispatchAction { throw new ServletException("dispatch parameter [" + parameter + "] not found"); }
+ name = name + .replaceAll("&","&") + .replaceAll("<","<") + .replaceAll(">",">") + .replaceAll(""",""") + .replaceAll("'","'") + .replaceAll("/","/"); + // look up the dispatch method String methodName = getKeyMethodMap().getProperty(name); if (methodName == null) { diff --git a/modules/enterprise/gui/portal-war/src/main/java/org/rhq/enterprise/gui/legacy/action/resource/hub/HubForm.java b/modules/enterprise/gui/portal-war/src/main/java/org/rhq/enterprise/gui/legacy/action/resource/hub/HubForm.java index 8db0d6a..e1914f2 100644 --- a/modules/enterprise/gui/portal-war/src/main/java/org/rhq/enterprise/gui/legacy/action/resource/hub/HubForm.java +++ b/modules/enterprise/gui/portal-war/src/main/java/org/rhq/enterprise/gui/legacy/action/resource/hub/HubForm.java @@ -129,7 +129,20 @@ public abstract class HubForm extends BaseValidatorForm { }
public void setKeywords(String keywords) { - this.keywords = keywords; + if (keywords==null) { + this.keywords=null; + return; + } + + this.keywords = keywords + .replaceAll("&","&") + .replaceAll("<","<") + .replaceAll(""",""") + .replaceAll(">",">") + .replaceAll("'","'") + .replaceAll("/","/"); + + }
public String getKeywords() {
rhq-commits@lists.fedorahosted.org