[tor-commits] [metrics-web/master] Escape parameter values in HTML output.

[karsten@xxxxxxxxxxxxxx]

commit 654217676bf16b953e476c6fc0ba2bd54917424e
Author: Karsten Loesing <karsten.loesing@xxxxxxx>
Date:   Tue Mar 22 17:19:00 2011 +0100

    Escape parameter values in HTML output.
    
    Problem in exonerator.html spotted by Alexander Zenkov.  Thanks!
---
 .../torproject/ernie/web/DescriptorServlet.java    |    3 +-
 .../torproject/ernie/web/ExoneraTorServlet.java    |   23 +++++++++++++-------
 src/org/torproject/ernie/web/RelayServlet.java     |    3 +-
 3 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/src/org/torproject/ernie/web/DescriptorServlet.java b/src/org/torproject/ernie/web/DescriptorServlet.java
index 0ea8ea2..9e84baf 100644
--- a/src/org/torproject/ernie/web/DescriptorServlet.java
+++ b/src/org/torproject/ernie/web/DescriptorServlet.java
@@ -137,7 +137,8 @@ public class DescriptorServlet extends HttpServlet {
       }
     }
     if (descId == null) {
-      out.write("    <br/><p>Sorry, \"" + descIdParameter + "\" is not a "
+      out.write("    <br/><p>Sorry, \""
+          + StringEscapeUtils.escapeHtml(descIdParameter) + "\" is not a "
           + "valid descriptor identifier. Please provide at least the "
           + "first 8 hex characters of a descriptor identifier.</p>\n");
       writeFooter(out);
diff --git a/src/org/torproject/ernie/web/ExoneraTorServlet.java b/src/org/torproject/ernie/web/ExoneraTorServlet.java
index 35e292d..e501129 100644
--- a/src/org/torproject/ernie/web/ExoneraTorServlet.java
+++ b/src/org/torproject/ernie/web/ExoneraTorServlet.java
@@ -14,6 +14,7 @@ import javax.servlet.http.*;
 import javax.sql.*;
 
 import org.apache.commons.codec.binary.*;
+import org.apache.commons.lang.*;
 
 public class ExoneraTorServlet extends HttpServlet {
 
@@ -184,8 +185,9 @@ public class ExoneraTorServlet extends HttpServlet {
             + Integer.parseInt(ipParts[3]);
       } else {
         ipWarning = "\"" + (ipParameter.length() > 20 ?
-            ipParameter.substring(0, 20) + "[...]" :
-            ipParameter) + "\" is not a valid IP address.";
+            StringEscapeUtils.escapeHtml(ipParameter.substring(0, 20))
+            + "[...]" : StringEscapeUtils.escapeHtml(ipParameter))
+            + "\" is not a valid IP address.";
       }
     }
 
@@ -210,8 +212,10 @@ public class ExoneraTorServlet extends HttpServlet {
         /* We have no way to handle this exception, other than leaving
            timestampStr at "". */
         timestampWarning = "\"" + (timestampParameter.length() > 20 ?
-            timestampParameter.substring(0, 20) + "[...]" :
-            timestampParameter) + "\" is not a valid timestamp.";
+            StringEscapeUtils.escapeHtml(timestampParameter.
+            substring(0, 20)) + "[...]" :
+            StringEscapeUtils.escapeHtml(timestampParameter))
+            + "\" is not a valid timestamp.";
       }
     }
 
@@ -244,8 +248,9 @@ public class ExoneraTorServlet extends HttpServlet {
         targetIPParts = targetIP.split("\\.");
       } else {
         targetAddrWarning = "\"" + (targetAddrParameter.length() > 20 ?
-            timestampParameter.substring(0, 20) + "[...]" :
-            timestampParameter) + "\" is not a valid IP address.";
+            StringEscapeUtils.escapeHtml(targetAddrParameter.substring(
+            0, 20)) + "[...]" : StringEscapeUtils.escapeHtml(
+            targetAddrParameter)) + "\" is not a valid IP address.";
       }
     }
 
@@ -266,8 +271,10 @@ public class ExoneraTorServlet extends HttpServlet {
         }
       } else {
         targetPortWarning = "\"" + (targetPortParameter.length() > 8 ?
-            targetPortParameter.substring(0, 8) + "[...]" :
-            targetPortParameter) + "\" is not a valid TCP port.";
+            StringEscapeUtils.escapeHtml(targetPortParameter.
+            substring(0, 8)) + "[...]" :
+            StringEscapeUtils.escapeHtml(targetPortParameter))
+            + "\" is not a valid TCP port.";
       }
     }
 
diff --git a/src/org/torproject/ernie/web/RelayServlet.java b/src/org/torproject/ernie/web/RelayServlet.java
index 88331aa..48da03b 100644
--- a/src/org/torproject/ernie/web/RelayServlet.java
+++ b/src/org/torproject/ernie/web/RelayServlet.java
@@ -146,7 +146,8 @@ public class RelayServlet extends HttpServlet {
       }
     }
     if (!validParameter) {
-      out.write("    <br/><p>Sorry, \"" + fingerprintParameter
+      out.write("    <br/><p>Sorry, \""
+          + StringEscapeUtils.escapeHtml(fingerprintParameter)
           + "\" is not a valid relay fingerprint. Please provide at "
           + "least the first 8 hex characters of a relay "
           + "fingerprint.</p>\n");

_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits