From 3a84008a633ee62ef7f8d570888157bcf4d08daa Mon Sep 17 00:00:00 2001
From: Daniel Naber <dnaber@apache.org>
Date: Sat, 16 Oct 2004 16:21:58 +0000
Subject: [PATCH] security: the error message was not escaped, this could
 enable cross site scripting

git-svn-id: https://svn.apache.org/repos/asf/lucene/java/trunk@150614 13f79535-47bb-0310-9956-ffa450edef68
---
 src/jsp/results.jsp | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/jsp/results.jsp b/src/jsp/results.jsp
index 8788a35966a..3b2d79d0e95 100755
--- a/src/jsp/results.jsp
+++ b/src/jsp/results.jsp
@@ -15,6 +15,16 @@
 
 */
 %>
+<%!
+public String escapeHTML(String s) {
+  s = s.replaceAll("&", "&amp;");
+  s = s.replaceAll("<", "&lt;");
+  s = s.replaceAll(">", "&gt;");
+  s = s.replaceAll("\"", "&quot;");
+  s = s.replaceAll("'", "&apos;");
+  return s;
+}
+%>
 <%@include file="header.jsp"%>
 <%
         boolean error = false;                  //used to control flow for error messages
@@ -40,7 +50,7 @@
                                                         //or otherwise corrupt index
 %>
                 <p>ERROR opening the Index - contact sysadmin!</p>
-                <p>While parsing query: <%=e.getMessage()%></p>   
+                <p>Error message: <%=escapeHTML(e.getMessage())%></p>   
 <%                error = true;                                  //don't do anything up to the footer
         }
 %>
@@ -72,7 +82,7 @@
                                                                       //send them a nice error HTML
                                                                       
 %>
-                        <p>Error while parsing query: <%=e.getMessage()%></p>
+                        <p>Error while parsing query: <%=escapeHTML(e.getMessage())%></p>
 <%
                         error = true;                                 //don't bother with the rest of
                                                                       //the page