https://issues.apache.org/activemq/browse/AMQ-2613 - more web console sanitation

git-svn-id: https://svn.apache.org/repos/asf/activemq/trunk@931552 13f79535-47bb-0310-9956-ffa450edef68

activemq-web-console/src/main/java/org/apache/activemq/web/controller/SendMessage.java

@@ -178,6 +178,9 @@ public class SendMessage extends DestinationFacade implements Controller {
             for (Iterator iter = map.entrySet().iterator(); iter.hasNext();) {
                 Map.Entry entry = (Map.Entry) iter.next();
                 String name = (String) entry.getKey();
+                if (name.equals("secret")) {
+                	continue;
+                }
                 Object value = entry.getValue();
                 if (isValidPropertyName(name)) {
                     if (value instanceof String[]) {

activemq-web-console/src/main/webapp/browse.jsp

@@ -41,13 +41,13 @@
 <tr>
 <td><a href="message.jsp?id=${row.JMSMessageID}&JMSDestination=<c:out value="${requestContext.queueBrowser.JMSDestination}" />" 
     title="${row.properties}">${row.JMSMessageID}</a></td>
-<td>${row.JMSCorrelationID}</td>
+<td><c:out value="${row.JMSCorrelationID}"/></td>
 <td><jms:persistent message="${row}"/></td>
-<td>${row.JMSPriority}</td>
+<td><c:out value="${row.JMSPriority}"/></td>
-<td>${row.JMSRedelivered}</td>
+<td><c:out value="${row.JMSRedelivered}"/></td>
-<td>${row.JMSReplyTo}</td>
+<td><c:out value="${row.JMSReplyTo}"/></td>
 <td><jms:formatTimestamp timestamp="${row.JMSTimestamp}"/></td>
-<td>${row.JMSType}</td>
+<td><c:out value="${row.JMSType}"/></td>
 <td>
     <a href="deleteMessage.action?JMSDestination=<c:out value="${row.JMSDestination}"/>&messageId=${row.JMSMessageID}&secret=<c:out value='${sessionScope["secret"]}'/>">Delete</a>
 </td>

activemq-web-console/src/main/webapp/connection.jsp

@@ -17,7 +17,7 @@
 <html>
 <head>
 <c:set var="row" value="${requestContext.connectionQuery.connection}"/>
-<title>Connection ${requestContext.connectionQuery.connectionID}</title>
+<title>Connection <c:out value="${requestContext.connectionQuery.connectionID}" /></title>
 </head>
 <body>
 
@@ -26,40 +26,40 @@
 <c:when test="${empty row}">
 
 <div>
-No connection could be found for ID ${requestContext.connectionQuery.connectionID}
+No connection could be found for ID <c:out value="${requestContext.connectionQuery.connectionID}" />
 </div>
 
 </c:when>
 
 <c:otherwise>
 
-<h2>Connection ${requestContext.connectionQuery.connectionID}</h2>
+<h2>Connection <c:out value="${requestContext.connectionQuery.connectionID}" /></h2>
 
 <table id="header" class="sortable autostripe">
 	<tbody>
 		<tr>
 			<td class="label" title="Unique ID for this connection">Connection ID</td>
-			<td>${requestContext.connectionQuery.connectionID}</td>
+			<td><c:out value="${requestContext.connectionQuery.connectionID}" /></td>
 		</tr>
 		<tr>
 			<td class="label" tite="Hostname and port of the connected party">Remote Address</td>
-			<td>${row.remoteAddress}</td>
+			<td><c:out value="${row.remoteAddress}" /></td>
 		</tr>
 		<tr>
 			<td class="label">Active</td>
-			<td>${row.active}</td>
+			<td><c:out value="${row.active}" /></td>
 		</tr>
 		<tr>
 			<td class="label">Connected</td>
-			<td>${row.connected}</td>
+			<td><c:out value="${row.connected}" /></td>
 		</tr>
 		<tr>
 			<td class="label">Blocked</td>
-			<td>${row.blocked}</td>
+			<td><c:out value="${row.blocked}" /></td>
 		</tr>
 		<tr>
 			<td class="label">Slow</td>
-			<td>${row.slow}</td>
+			<td><c:out value="${row.slow}" /></td>
 		</tr>
 	</tbody>
 </table>
@@ -96,29 +96,29 @@ No connection could be found for ID ${requestContext.connectionQuery.connectionI
 	<td>
 		<c:choose>
 			<c:when test="${consumer.destinationQueue}">
-				Queue <a href="browse.jsp?JMSDestination=${consumer.destinationName}">${consumer.destinationName}</a>
+				Queue <a href="browse.jsp?JMSDestination=${consumer.destinationName}"><c:out value="${consumer.destinationName}" /></a>
 			</c:when>
 			<c:when test="${consumer.destinationTopic}">
-				Topic <a href="send.jsp?JMSDestination=${consumer.destinationName}">${consumer.destinationName}</a>
+				Topic <a href="send.jsp?JMSDestination=${consumer.destinationName}"><c:out value="${consumer.destinationName}" /></a>
 			</c:when>
 			<c:otherwise>
-				${consumer.destinationName}
+				<c:out value="${consumer.destinationName}" />
 			</c:otherwise>
 		</c:choose>
 	</td>
-	<td>${consumer.sessionId}</td>
+	<td><c:out value="${consumer.sessionId}" /></td>
-	<td>${consumer.selector}</td>
+	<td><c:out value="${consumer.selector}" /></td>
-	<td>${consumer.enqueueCounter}</td>
+	<td><c:out value="${consumer.enqueueCounter}" /></td>
-	<td>${consumer.dequeueCounter}</td>
+	<td><c:out value="${consumer.dequeueCounter}" /></td>
-	<td>${consumer.dispachedCounter}</td>
+	<td><c:out value="${consumer.dispachedCounter}" /></td>
-	<td>${consumer.dispatchedQueueSize}</td>
+	<td><c:out value="${consumer.dispatchedQueueSize}" /></td>
 	<td>
-		${consumer.prefetchSize}<br/>
+		<c:out value="${consumer.prefetchSize}" /><br/>
-		${consumer.maximumPendingMessageLimit}
+		<c:out value="${consumer.maximumPendingMessageLimit}" />
 	</td>
 	<td>
-		${consumer.exclusive}<br/>
+		<c:out value="${consumer.exclusive}" /><br/>
-		${consumer.retroactive}
+		<c:out value="${consumer.retroactive}" />
 	</td>
 </tr>
 </c:forEach>

activemq-web-console/src/main/webapp/message.jsp

@@ -17,7 +17,7 @@
 <html>
 <head>
 <c:set var="row" value="${requestContext.messageQuery.message}"/>
-<title>Message ${requestContext.messageQuery.id}</title>
+<title>Message <c:out value="${requestContext.messageQuery.id}"/></title>
 </head>
 <body>
 
@@ -26,7 +26,7 @@
 <c:when test="${empty row}">
 
 <div>
-No message could be found for ID ${requestContext.messageQuery.id}
+No message could be found for ID <c:out value="${requestContext.messageQuery.id}"/>
 </div>
 
 </c:when>
@@ -47,7 +47,7 @@ No message could be found for ID ${requestContext.messageQuery.id}
 				<tbody>
 					<tr>
 						<td class="label" title="Unique Message ID for this message">Message ID</td>
-						<td>${row.JMSMessageID}</td>
+						<td><c:out value="${row.JMSMessageID}"/></td>
 					</tr>
 					<tr>
 						<td class="label">Destination</td>
@@ -55,19 +55,19 @@ No message could be found for ID ${requestContext.messageQuery.id}
 					</tr>
 					<tr>
 						<td class="label" title="The ID used to correlate messages together in a conversation">Correlation ID</td>
-						<td>${row.JMSCorrelationID}</td>
+						<td><c:out value="${row.JMSCorrelationID}"/></td>
 					</tr>
 					<tr>
 						<td class="label" title="Message Group Identifier">Group</td>
-						<td>${row.groupID}</td>
+						<td><c:out value="${row.groupID}"/></td>
 					</tr>
 					<tr>
 						<td class="label" title="Message Group Sequence Number">Sequence</td>
-						<td>${row.groupSequence}</td>
+						<td><c:out value="${row.groupSequence}"/></td>
 					</tr>
 					<tr>
 						<td class="label">Expiration</td>
-						<td>${row.JMSExpiration}</td>
+						<td><c:out value="${row.JMSExpiration}"/></td>
 					</tr>
 					<tr>
 						<td class="label">Persistence</td>
@@ -75,15 +75,15 @@ No message could be found for ID ${requestContext.messageQuery.id}
 					</tr>
 					<tr>
 						<td class="label">Priority</td>
-						<td>${row.JMSPriority}</td>
+						<td><c:out value="${row.JMSPriority}"/></td>
 					</tr>
 					<tr>
 						<td class="label">Redelivered</td>
-					    <td>${row.JMSRedelivered}</td>
+					    <td><c:out value="${row.JMSRedelivered}"/></td>
 					</tr>
 					<tr>
 						<td class="label">Reply To</td>
-						<td>${row.JMSReplyTo}</td>
+						<td><c:out value="${row.JMSReplyTo}"/></td>
 					</tr>
 					<tr>
 						<td class="label">Timestamp</td>
@@ -91,7 +91,7 @@ No message could be found for ID ${requestContext.messageQuery.id}
 					</tr>
 					<tr>
 						<td class="label">Type</td>
-						<td>${row.JMSType}</td>
+						<td><c:out value="${row.JMSType}"/></td>
 					</tr>
 				</tbody>
 			</table>
@@ -109,8 +109,8 @@ No message could be found for ID ${requestContext.messageQuery.id}
 				<tbody>
                    <form:forEachMapEntry items="${requestContext.messageQuery.propertiesMap}" var="prop">
 						<tr>
-							<td class="label">${prop.key}</td>
+							<td class="label"><c:out value="${prop.key}"/></td>
-							<td>${prop.value}</td>
+							<td><c:out value="${prop.value}"/></td>
 						</tr>
 						<tr>
 					</form:forEachMapEntry>