[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] [metrics-web/master] Escape descriptors in HTML output. Spotted by BarkerJr.
commit f6b8d3c943ad80a4b9ea5101aa9d40ca7a6b1aff
Author: Karsten Loesing <karsten.loesing@xxxxxxx>
Date: Wed Feb 2 10:09:06 2011 +0100
Escape descriptors in HTML output. Spotted by BarkerJr.
---
.../torproject/ernie/web/DescriptorServlet.java | 15 +++++++++++----
src/org/torproject/ernie/web/RelayServlet.java | 9 +++++++--
2 files changed, 18 insertions(+), 6 deletions(-)
diff --git a/src/org/torproject/ernie/web/DescriptorServlet.java b/src/org/torproject/ernie/web/DescriptorServlet.java
index c291ef7..0ea8ea2 100644
--- a/src/org/torproject/ernie/web/DescriptorServlet.java
+++ b/src/org/torproject/ernie/web/DescriptorServlet.java
@@ -16,6 +16,8 @@ import javax.sql.*;
import org.apache.commons.codec.*;
import org.apache.commons.codec.binary.*;
+import org.apache.commons.lang.*;
+
public class DescriptorServlet extends HttpServlet {
private DataSource ds;
@@ -239,8 +241,11 @@ public class DescriptorServlet extends HttpServlet {
/* Print out both server and extra-info descriptor. */
out.write("<br/><p>The following server descriptor was published by "
+ "relay " + nickname + " at " + published + " UTC:</p>");
- BufferedReader br = new BufferedReader(new StringReader(new String(
- rawDescriptor, "US-ASCII")));
+ String descriptorString = new String(rawDescriptor, "US-ASCII");
+ String escapedDescriptorString = StringEscapeUtils.escapeHtml(
+ descriptorString);
+ BufferedReader br = new BufferedReader(new StringReader(
+ escapedDescriptorString));
String line = null;
while ((line = br.readLine()) != null) {
out.println(" <tt>" + line + "</tt><br/>");
@@ -249,8 +254,10 @@ public class DescriptorServlet extends HttpServlet {
if (rawExtrainfo != null) {
out.println("<br/><p>Together with this server descriptor, the "
+ "relay published the following extra-info descriptor:</p>");
- br = new BufferedReader(new StringReader(new String(rawExtrainfo,
- "US-ASCII")));
+ String extraInfoString = new String(rawExtrainfo, "US-ASCII");
+ String escapedExtraInfoString = StringEscapeUtils.escapeHtml(
+ extraInfoString);
+ br = new BufferedReader(new StringReader(escapedExtraInfoString));
line = null;
while ((line = br.readLine()) != null) {
out.println(" <tt>" + line + "</tt><br/>");
diff --git a/src/org/torproject/ernie/web/RelayServlet.java b/src/org/torproject/ernie/web/RelayServlet.java
index 78ad7b6..88331aa 100644
--- a/src/org/torproject/ernie/web/RelayServlet.java
+++ b/src/org/torproject/ernie/web/RelayServlet.java
@@ -16,6 +16,8 @@ import javax.sql.*;
import org.apache.commons.codec.*;
import org.apache.commons.codec.binary.*;
+import org.apache.commons.lang.*;
+
public class RelayServlet extends HttpServlet {
private SimpleDateFormat dayFormat =
@@ -335,8 +337,11 @@ public class RelayServlet extends HttpServlet {
/* Print out both server and extra-info descriptor. */
out.write("<br/><p>The last referenced server descriptor published "
+ "by this relay is:</p>");
- BufferedReader br = new BufferedReader(new StringReader(new String(
- rawDescriptor, "US-ASCII")));
+ String descriptorString = new String(rawDescriptor, "US-ASCII");
+ String escapedDescriptorString = StringEscapeUtils.escapeHtml(
+ descriptorString);
+ BufferedReader br = new BufferedReader(new StringReader(
+ escapedDescriptorString));
String line = null;
while ((line = br.readLine()) != null) {
out.println(" <tt>" + line + "</tt><br/>");