From 5bfe85082e82f5f862832ebdd8a2309edb6696e1 Mon Sep 17 00:00:00 2001
From: "Chris M. Hostetter" <hossman@apache.org>
Date: Sat, 13 Feb 2010 03:28:07 +0000
Subject: [PATCH] SOLR-1579: fixes to xml escaping in stats.jsp (the fix
 commited as part of SOLR-1008 was incorrect)

git-svn-id: https://svn.apache.org/repos/asf/lucene/solr/trunk@909705 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES.txt                    |  3 +++
 src/webapp/web/admin/stats.jsp | 22 +++++++++++-----------
 2 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/CHANGES.txt b/CHANGES.txt
index f687f9db7c0..aca66449612 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -175,6 +175,9 @@ Bug Fixes
 
 * SOLR-1736:In the slave , If 'mov'ing file does not succeed , copy the file (noble)  
 
+* SOLR-1579: Fixes to XML escaping in stats.jsp
+  (David Bowen and hossman)
+
 Other Changes
 ----------------------
 
diff --git a/src/webapp/web/admin/stats.jsp b/src/webapp/web/admin/stats.jsp
index ca38c88e9b3..5a8e7d6e9ca 100644
--- a/src/webapp/web/admin/stats.jsp
+++ b/src/webapp/web/admin/stats.jsp
@@ -27,12 +27,12 @@
 <solr>
   <%  
   if (core.getName() != null) { %> 
-	  <core><%=core.getName()%></core> 
+	  <core><% XML.escapeCharData(core.getName(), out); %></core> 
   <% } %>
-  <schema><%= collectionName %></schema>
-  <host><%= hostname %></host>
-  <now><%= new Date().toString() %></now>
-  <start><%= new Date(core.getStartTime()) %></start>
+  <schema><% XML.escapeCharData(collectionName, out); %></schema>
+  <host><% XML.escapeCharData(hostname, out); %></host>
+  <now><% XML.escapeCharData(new Date().toString(), out); %></now>
+  <start><% XML.escapeCharData(new Date(core.getStartTime()).toString(), out); %></start>
   <solr-info>
 <%
 for (SolrInfoMBean.Category cat : SolrInfoMBean.Category.values()) {
@@ -55,23 +55,23 @@ for (SolrInfoMBean.Category cat : SolrInfoMBean.Category.values()) {
 %>
     <entry>
       <name>
-        <%= key %>
+        <% XML.escapeCharData(key, out); %>
       </name>
       <class>
-        <%= name %>
+        <% XML.escapeCharData(name, out); %>
       </class>
       <version>
-        <%= vers %>
+        <% XML.escapeCharData(vers, out); %>
       </version>
       <description>
-        <%= desc %>
+        <% XML.escapeCharData(desc, out); %>
       </description>
       <stats>
 <%
       for (int i = 0; i < nl.size() ; i++) {
 %>
-        <stat name="<%XML.escapeCharData(nl.getName(i), out);  %>" >
-          <%= nl.getVal(i).toString() %>
+        <stat name="<% XML.escapeAttributeValue(nl.getName(i), out);  %>" >
+          <% XML.escapeCharData(nl.getVal(i).toString(), out); %>
         </stat>
 <%
       }