Apache
/
lucene
mirror of https://github.com/apache/lucene.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

security: the error message was not escaped, this could enable cross site scripting 

git-svn-id: https://svn.apache.org/repos/asf/lucene/java/trunk@150614 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Daniel Naber 2004-10-16 16:21:58 +00:00
parent a819643d58
commit 3a84008a63
1 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/jsp/results.jsp
View File

@ -15,6 +15,16 @@
*/
%>
<%!
public String escapeHTML(String s) {
s = s.replaceAll("&", "&amp;");
s = s.replaceAll("<", "&lt;");
s = s.replaceAll(">", "&gt;");
s = s.replaceAll("\"", "&quot;");
s = s.replaceAll("'", "&apos;");
return s;
}
%>
<%@include file="header.jsp"%>
<%
boolean error = false; //used to control flow for error messages
@ -40,7 +50,7 @@
//or otherwise corrupt index
%>
<p>ERROR opening the Index - contact sysadmin!</p>
<p>While parsing query: <%=e.getMessage()%></p>
<p>Error message: <%=escapeHTML(e.getMessage())%></p>
<% error = true; //don't do anything up to the footer
}
%>
@ -72,7 +82,7 @@
//send them a nice error HTML
%>
<p>Error while parsing query: <%=e.getMessage()%></p>
<p>Error while parsing query: <%=escapeHTML(e.getMessage())%></p>
<%
error = true; //don't bother with the rest of
//the page