You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@roller.apache.org by Allen Gilliland <al...@sun.com> on 2007/03/19 21:15:00 UTC
Re: svn commit: r520056 - in /incubator/roller: branches/roller_2.3/
branches/roller_2.3/src/org/apache/roller/presentation/weblog/formbeans/
branches/roller_2.3/web/WEB-INF/classes/ branches/roller_2.3/web/weblog/
branches/roller_3.0/ branches/roller_3.0/...
Dave,
I'd like to suggest that we do one more thing to fix this problem
starting in the current trunk. I'd like to go ahead and make our pojo
wrappers static so that we can place custom code in various methods to
handle situations like this. The problem with the current fix is that
it relies on the fact that people are using the macros and that can't be
guaranteed, so to truly solve this problem we need the functionality to
be in the pojo wrappers themselves so that there is no way to get
unescaped data.
So to do this all I am planning to do is copy the current generated
wrappers into the actual source tree and commit them, then modify the
various getXXX() methods on the CommentDataWrapper so that they escape
the data.
Not only does this help fix this security issue at the very root level,
but it will also open up opportunities to do more with our wrappers
general. So is anyone else opposed to making the pojo wrappers static?
I don't think this change would need to be back ported to older
releases, so it would just go into the current trunk.
-- Allen
snoopdave@apache.org wrote:
> Author: snoopdave
> Date: Mon Mar 19 12:25:59 2007
> New Revision: 520056
>
> URL: http://svn.apache.org/viewvc?view=rev&rev=520056
> Log:
> Fixing XSS vulnerability by stripping HTML from incoming comment fields and escapeing HTMLO when fields are displayed in Roller 2.3, Roller 3.0, Roller 3.1 and trunk
>
> Removed:
> incubator/roller/branches/roller_3.0/src/org/apache/roller/ui/authoring/struts/formbeans/CommentFormEx.java
> incubator/roller/branches/roller_3.1/src/org/apache/roller/ui/authoring/struts/formbeans/CommentFormEx.java
> incubator/roller/trunk/src/org/apache/roller/ui/authoring/struts/formbeans/CommentFormEx.java
> Modified:
> incubator/roller/branches/roller_2.3/CHANGES.txt
> incubator/roller/branches/roller_2.3/src/org/apache/roller/presentation/weblog/formbeans/CommentFormEx.java
> incubator/roller/branches/roller_2.3/web/WEB-INF/classes/comments.vm
> incubator/roller/branches/roller_2.3/web/weblog/CommentManagement.jsp
> incubator/roller/branches/roller_3.0/CHANGES.txt
> incubator/roller/branches/roller_3.0/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
> incubator/roller/branches/roller_3.0/web/WEB-INF/jsps/authoring/CommentManagement.jsp
> incubator/roller/branches/roller_3.0/web/WEB-INF/velocity/weblog.vm
> incubator/roller/branches/roller_3.1/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
> incubator/roller/branches/roller_3.1/web/WEB-INF/jsps/authoring/CommentManagement.jsp
> incubator/roller/branches/roller_3.1/web/WEB-INF/velocity/weblog.vm
> incubator/roller/trunk/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
> incubator/roller/trunk/web/WEB-INF/jsps/authoring/CommentManagement.jsp
> incubator/roller/trunk/web/WEB-INF/velocity/weblog.vm
>
> Modified: incubator/roller/branches/roller_2.3/CHANGES.txt
> URL: http://svn.apache.org/viewvc/incubator/roller/branches/roller_2.3/CHANGES.txt?view=diff&rev=520056&r1=520055&r2=520056
> ==============================================================================
> --- incubator/roller/branches/roller_2.3/CHANGES.txt (original)
> +++ incubator/roller/branches/roller_2.3/CHANGES.txt Mon Mar 19 12:25:59 2007
> @@ -6,13 +6,24 @@
>
> *** Security risk in comment form
>
> -Allowing commenters to leave HTML in comments is a potential security risk because it allows commenters can add malicious Javascipt code. You can disable HTML in comments via the Roller admin interface, but in Roller 2.3 and earlier versions of Roller, attackers could still add malicious HTML to the name, email and URL fields.
> +Allowing commenters to leave HTML in comments is a potential security risk
> +because it allows commenters can add malicious Javascipt code. You can
> +disable HTML in comments via the Roller admin interface, but in Roller 2.3 and
> +earlier versions of Roller, attackers could still add malicious HTML to the
> +name, email and URL fields.
>
> -We fixed the problem in Roller 2.3.1 and all subsequent versions of Roller by stripping all HTML from name, email and comment fields at comment post time.
> +We fixed the problem in Roller 2.3.1 and all subsequent versions of
> +Roller by stripping all HTML from name, email and comment fields at
> +comment post time. Also, we do HTML escaping whenever we display the
> +suspect fields.
>
> *** Licensing issue with JavaMail and Activation jars
>
> -The JavaMail and Activation jars (mail.jar and activation.jar) included in Roller 2.3 were licensed under Sun's Binary Code License, which is incompatible with Apache licensing policy. So these jars have been removed from the release and instructions have been added to the Installation Guide that explain how to get them and add them to Roller.
> +The JavaMail and Activation jars (mail.jar and activation.jar) included in
> +Roller 2.3 were licensed under Sun's Binary Code License, which is incompatible
> +with Apache licensing policy. So these jars have been removed from the release
> +and instructions have been added to the Installation Guide that explain
> +how to get them and add them to Roller.
>
>
> Roller 2.3: improvements and bug fixes, no major new features
>
> Modified: incubator/roller/branches/roller_2.3/src/org/apache/roller/presentation/weblog/formbeans/CommentFormEx.java
> URL: http://svn.apache.org/viewvc/incubator/roller/branches/roller_2.3/src/org/apache/roller/presentation/weblog/formbeans/CommentFormEx.java?view=diff&rev=520056&r1=520055&r2=520056
> ==============================================================================
> --- incubator/roller/branches/roller_2.3/src/org/apache/roller/presentation/weblog/formbeans/CommentFormEx.java (original)
> +++ incubator/roller/branches/roller_2.3/src/org/apache/roller/presentation/weblog/formbeans/CommentFormEx.java Mon Mar 19 12:25:59 2007
> @@ -114,6 +114,8 @@
> public void copyTo(org.apache.roller.pojos.CommentData dataHolder, Locale locale)
> throws RollerException
> {
> + super.copyTo(dataHolder, locale);
> +
> if (!StringUtils.isEmpty(name)) {
> name = Utilities.removeHTML(name);
> }
> @@ -123,7 +125,9 @@
> if (!StringUtils.isEmpty(email)) {
> email = Utilities.removeHTML(email);
> }
> - super.copyTo(dataHolder, locale);
> + if (!StringUtils.isEmpty(remoteHost)) {
> + remoteHost = Utilities.removeHTML(remoteHost);
> + }
> if (getSpam() == null) dataHolder.setSpam(Boolean.FALSE);
> if (getNotify() == null) dataHolder.setNotify(Boolean.FALSE);
> }
>
> Modified: incubator/roller/branches/roller_2.3/web/WEB-INF/classes/comments.vm
> URL: http://svn.apache.org/viewvc/incubator/roller/branches/roller_2.3/web/WEB-INF/classes/comments.vm?view=diff&rev=520056&r1=520055&r2=520056
> ==============================================================================
> --- incubator/roller/branches/roller_2.3/web/WEB-INF/classes/comments.vm (original)
> +++ incubator/roller/branches/roller_2.3/web/WEB-INF/classes/comments.vm Mon Mar 19 12:25:59 2007
> @@ -61,15 +61,15 @@
> <p class="comment-details">
> $text.get("macro.weblog.postedby")
> #if (!$stringUtils.isEmpty($comment.name) && !$stringUtils.isEmpty($comment.remoteHost))
> - <b>$comment.name</b> ($comment.remoteHost)
> + <b>$utilities.escapeHTML($comment.name)</b> ($utilities.escapeHTML($comment.remoteHost))
> #elseif (!$stringUtils.isEmpty($comment.name))
> - <b>$comment.name</b>
> + <b>$utilities.escapeHTML($comment.name)</b>
> #elseif (!$stringUtils.isEmpty($comment.remoteHost))
> - <b>$comment.remoteHost</b>
> + <b>$utilities.escapeHTML($comment.remoteHost)</b>
> #end
> $text.get("macro.weblog.on") $dateFormatter.format($comment.postTime)
> #if( $stringUtils.isNotEmpty($comment.url) )
> - $text.get( "macro.weblog.postedbywebsite", [$comment.url, $comment.url] )
> + $text.get( "macro.weblog.postedbywebsite", [$utilities.escapeHTML($comment.url), $utilities.escapeHTML($comment.url)] )
> #end
> #if( $showPermalink )
> <a href="${ctxPath}${entry.permaLink}#comment${velocityCount}"
> @@ -199,15 +199,15 @@
>
> <table cellspacing="0" cellpadding="1" border="0" width="95%">
> <tr><th>$text.get( "macro.weblog.name" )</th>
> - <td><input type="text" name="name" value="$commentForm.name" size="50" maxlength="255" /></td>
> + <td><input type="text" name="name" value="$utilities.escapeHTML($commentForm.name)" size="50" maxlength="255" /></td>
> </tr>
>
> <tr><th>$text.get( "macro.weblog.email" )</th>
> - <td><input type="text" name="email" value="$commentForm.email" size="50" maxlength="255" /></td>
> + <td><input type="text" name="email" value="$utilities.escapeHTML($commentForm.email)" size="50" maxlength="255" /></td>
> </tr>
>
> <tr><th>$text.get( "macro.weblog.url" )</th>
> - <td><input type="text" name="url" value="$commentForm.url" size="50" maxlength="255" /></td>
> + <td><input type="text" name="url" value="$utilities.escapeHTML($commentForm.url)" size="50" maxlength="255" /></td>
> </tr>
> #if ($pageModel.emailComments)
> <tr>
>
> Modified: incubator/roller/branches/roller_2.3/web/weblog/CommentManagement.jsp
> URL: http://svn.apache.org/viewvc/incubator/roller/branches/roller_2.3/web/weblog/CommentManagement.jsp?view=diff&rev=520056&r1=520055&r2=520056
> ==============================================================================
> --- incubator/roller/branches/roller_2.3/web/weblog/CommentManagement.jsp (original)
> +++ incubator/roller/branches/roller_2.3/web/weblog/CommentManagement.jsp Mon Mar 19 12:25:59 2007
> @@ -303,27 +303,27 @@
> <c:choose>
> <c:when test="${!empty comment.email && !empty comment.name}">
> <fmt:message key="commentManagement.commentByBoth" >
> - <fmt:param value="${comment.name}" />
> - <fmt:param value="${comment.email}" />
> + <fmt:param><c:out value="${comment.name}" /></fmt:param>
> + <fmt:param><c:out value="${comment.email}" /></fmt:param>
> <fmt:param value="mailto" />
> - <fmt:param value="${comment.remoteHost}" />
> + <fmt:param><c:out value="${comment.remoteHost}" /></fmt:param>
> </fmt:message>
> </c:when>
> <c:when test="${!empty comment.name}">
> <fmt:message key="commentManagement.commentByName" >
> - <fmt:param value="${comment.name}" />
> - <fmt:param value="${comment.remoteHost}" />
> + <fmt:param><c:out value="${comment.name}" /></fmt:param>
> + <fmt:param><c:out value="${comment.remoteHost}" /></fmt:param>
> </fmt:message>
> </c:when>
> <c:when test="${!empty comment.email}">
> <fmt:message key="commentManagement.commentByName" >
> - <fmt:param value="${comment.email}" />
> - <fmt:param value="${comment.remoteHost}" />
> + <fmt:param><c:out value="${comment.name}" /></fmt:param>
> + <fmt:param><c:out value="${comment.remoteHost}" /></fmt:param>
> </fmt:message>
> </c:when>
> <c:otherwise>
> <fmt:message key="commentManagement.commentByIP" >
> - <fmt:param value="${comment.remoteHost}" />
> + <fmt:param><c:out value="${comment.remoteHost}" /></fmt:param>
> </fmt:message>
> </c:otherwise>
> </c:choose>
>
> Modified: incubator/roller/branches/roller_3.0/CHANGES.txt
> URL: http://svn.apache.org/viewvc/incubator/roller/branches/roller_3.0/CHANGES.txt?view=diff&rev=520056&r1=520055&r2=520056
> ==============================================================================
> --- incubator/roller/branches/roller_3.0/CHANGES.txt (original)
> +++ incubator/roller/branches/roller_3.0/CHANGES.txt Mon Mar 19 12:25:59 2007
> @@ -2,6 +2,22 @@
> ROLLER CHANGE LOG
> -----------------
>
> +Roller 3.0.1: minor release to fix comment form XSS security risk
> +
> +Allowing commenters to leave HTML in comments is a potential security risk
> +because it allows commenters can add malicious Javascipt code. You can
> +disable HTML in comments via the Roller admin interface, but in Roller 2.3 and
> +earlier versions of Roller, attackers could still add malicious HTML to the
> +name, email and URL fields.
> +
> +We fixed the problem in Roller 2.3.1 and all subsequent versions of
> +Roller by stripping all HTML from name, email and comment fields at
> +comment post time. Also, we do HTML escaping whenever we display the
> +suspect fields.
> +
> +
> +-------------------------------------------------------------------------------
> +
> Roller 3.0: major release with new URL structure and new template syste
>
> Please refer to the What's New page for an overview of the changes:
>
> Modified: incubator/roller/branches/roller_3.0/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
> URL: http://svn.apache.org/viewvc/incubator/roller/branches/roller_3.0/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java?view=diff&rev=520056&r1=520055&r2=520056
> ==============================================================================
> --- incubator/roller/branches/roller_3.0/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java (original)
> +++ incubator/roller/branches/roller_3.0/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java Mon Mar 19 12:25:59 2007
> @@ -27,6 +27,7 @@
> import org.apache.roller.model.RollerFactory;
> import org.apache.roller.model.WeblogManager;
> import org.apache.roller.pojos.WeblogEntryData;
> +import org.apache.roller.util.Utilities;
>
>
> /**
> @@ -121,15 +122,15 @@
> * notify - if commenter wants to receive notifications
> */
> if(request.getParameter("name") != null) {
> - this.name = request.getParameter("name");
> + this.name = Utilities.removeHTML(request.getParameter("name"));
> }
>
> if(request.getParameter("email") != null) {
> - this.email = request.getParameter("email");
> + this.email = Utilities.removeHTML(request.getParameter("email"));
> }
>
> if(request.getParameter("url") != null) {
> - this.url = request.getParameter("url");
> + this.url = Utilities.removeHTML(request.getParameter("url"));
> }
>
> if(request.getParameter("content") != null) {
>
> Modified: incubator/roller/branches/roller_3.0/web/WEB-INF/jsps/authoring/CommentManagement.jsp
> URL: http://svn.apache.org/viewvc/incubator/roller/branches/roller_3.0/web/WEB-INF/jsps/authoring/CommentManagement.jsp?view=diff&rev=520056&r1=520055&r2=520056
> ==============================================================================
> --- incubator/roller/branches/roller_3.0/web/WEB-INF/jsps/authoring/CommentManagement.jsp (original)
> +++ incubator/roller/branches/roller_3.0/web/WEB-INF/jsps/authoring/CommentManagement.jsp Mon Mar 19 12:25:59 2007
> @@ -308,27 +308,27 @@
> <c:choose>
> <c:when test="${!empty comment.email && !empty comment.name}">
> <fmt:message key="commentManagement.commentByBoth" >
> - <fmt:param value="${comment.name}" />
> - <fmt:param value="${comment.email}" />
> + <fmt:param><c:out value="${comment.name}" /></fmt:param>
> + <fmt:param><c:out value="${comment.email}" /></fmt:param>
> <fmt:param value="mailto" />
> - <fmt:param value="${comment.remoteHost}" />
> + <fmt:param><c:out value="${comment.remoteHost}" /></fmt:param>
> </fmt:message>
> </c:when>
> <c:when test="${!empty comment.name}">
> <fmt:message key="commentManagement.commentByName" >
> - <fmt:param value="${comment.name}" />
> - <fmt:param value="${comment.remoteHost}" />
> + <fmt:param><c:out value="${comment.name}" /></fmt:param>
> + <fmt:param><c:out value="${comment.remoteHost}" /></fmt:param>
> </fmt:message>
> </c:when>
> <c:when test="${!empty comment.email}">
> <fmt:message key="commentManagement.commentByName" >
> - <fmt:param value="${comment.email}" />
> - <fmt:param value="${comment.remoteHost}" />
> + <fmt:param><c:out value="${comment.name}" /></fmt:param>
> + <fmt:param><c:out value="${comment.remoteHost}" /></fmt:param>
> </fmt:message>
> </c:when>
> <c:otherwise>
> <fmt:message key="commentManagement.commentByIP" >
> - <fmt:param value="${comment.remoteHost}" />
> + <fmt:param><c:out value="${comment.remoteHost}" /></fmt:param>
> </fmt:message>
> </c:otherwise>
> </c:choose>
>
> Modified: incubator/roller/branches/roller_3.0/web/WEB-INF/velocity/weblog.vm
> URL: http://svn.apache.org/viewvc/incubator/roller/branches/roller_3.0/web/WEB-INF/velocity/weblog.vm?view=diff&rev=520056&r1=520055&r2=520056
> ==============================================================================
> --- incubator/roller/branches/roller_3.0/web/WEB-INF/velocity/weblog.vm (original)
> +++ incubator/roller/branches/roller_3.0/web/WEB-INF/velocity/weblog.vm Mon Mar 19 12:25:59 2007
> @@ -160,11 +160,10 @@
> <br/>
> #foreach( $comment in $comments )
> #if($comment.approved || $model.commentForm.preview)
> - #set($content = $utils.encodeEmail($comment.content))
> #if($config.commentEscapeHtml)
> - #set($content = $utils.escapeHTML($content))
> + #set($content = $utils.escapeHTML($comment.content))
> #else
> - #set($content = $utils.transformToHTMLSubset($utils.escapeHTML($content)))
> + #set($content = $utils.transformToHTMLSubset($utils.escapeHTML($comment.content)))
> #end
> #if($config.commentAutoFormat)
> #set($content = $utils.autoformat($content))
> @@ -177,11 +176,11 @@
> <p class="comment-details">
> $text.get("macro.weblog.postedby")
> #if (!$utils.isEmpty($comment.name) && !$utils.isEmpty($comment.url))
> - <a rel="nofollow" href="$comment.url"><b>$comment.name</b></a>
> + <a rel="nofollow" href="$comment.url"><b>$utils.escapeHTML($comment.name)</b></a>
> #elseif (!$utils.isEmpty($comment.name))
> - <b>$comment.name</b>
> + <b>$utils.escapeHTML($comment.name)</b>
> #else
> - <b>$comment.remoteHost</b>
> + <b>$utils.escapeHTML($comment.remoteHost)</b>
> #end
>
> $text.get("macro.weblog.on") $utils.formatDate($comment.postTime, $text.get( "macro.weblog.datepattern" ))
> @@ -222,16 +221,16 @@
> <ul>
> <li>
> <label class="desc">$text.get( "macro.weblog.name" )</label>
> - <input type="text" name="name" class="text large" value="$cform.name" size="50" maxlength="255" />
> + <input type="text" name="name" class="text large" value="$utilities.escapeHTML($cform.name)" size="50" maxlength="255" />
> </li>
>
>
> <li><label class="desc">$text.get( "macro.weblog.email" )</label>
> - <input type="text" name="email" class="text large" value="$cform.email" size="50" maxlength="255" />
> + <input type="text" name="email" class="text large" value="$utilities.escapeHTML($cform.email)" size="50" maxlength="255" />
> </li>
>
> <li><label class="desc">$text.get( "macro.weblog.url" )</label>
> - <input type="text" name="url" class="text large" value="$cform.url" size="50" maxlength="255" />
> + <input type="text" name="url" class="text large" value="$utilities.escapeHTML($cform.url)" size="50" maxlength="255" />
> </li>
>
> #if ($config.commentEmailNotify)
> @@ -245,7 +244,12 @@
> </li>
> <li>
> <label class="desc">$text.get( "macro.weblog.yourcomment" )</label>
> - <textarea name="content" class="textarea large" cols="" rows="">$cform.content</textarea>
> + #if($config.commentEscapeHtml)
> + #set($content = $utils.escapeHTML($cform.content))
> + #else
> + #set($content = $utils.transformToHTMLSubset($utils.escapeHTML($cform.content)))
> + #end
> + <textarea name="content" class="textarea large" cols="" rows="">$!content</textarea>
> </li>
> <li class="info">
> <span class="comments-syntax-indicator">
>
> Modified: incubator/roller/branches/roller_3.1/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
> URL: http://svn.apache.org/viewvc/incubator/roller/branches/roller_3.1/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java?view=diff&rev=520056&r1=520055&r2=520056
> ==============================================================================
> --- incubator/roller/branches/roller_3.1/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java (original)
> +++ incubator/roller/branches/roller_3.1/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java Mon Mar 19 12:25:59 2007
> @@ -27,6 +27,7 @@
> import org.apache.roller.business.RollerFactory;
> import org.apache.roller.business.WeblogManager;
> import org.apache.roller.pojos.WeblogEntryData;
> +import org.apache.roller.util.Utilities;
>
>
> /**
> @@ -121,15 +122,15 @@
> * notify - if commenter wants to receive notifications
> */
> if(request.getParameter("name") != null) {
> - this.name = request.getParameter("name");
> + this.name = Utilities.removeHTML(request.getParameter("name"));
> }
>
> if(request.getParameter("email") != null) {
> - this.email = request.getParameter("email");
> + this.email = Utilities.removeHTML(request.getParameter("email"));
> }
>
> if(request.getParameter("url") != null) {
> - this.url = request.getParameter("url");
> + this.url = Utilities.removeHTML(request.getParameter("url"));
> }
>
> if(request.getParameter("content") != null) {
>
> Modified: incubator/roller/branches/roller_3.1/web/WEB-INF/jsps/authoring/CommentManagement.jsp
> URL: http://svn.apache.org/viewvc/incubator/roller/branches/roller_3.1/web/WEB-INF/jsps/authoring/CommentManagement.jsp?view=diff&rev=520056&r1=520055&r2=520056
> ==============================================================================
> --- incubator/roller/branches/roller_3.1/web/WEB-INF/jsps/authoring/CommentManagement.jsp (original)
> +++ incubator/roller/branches/roller_3.1/web/WEB-INF/jsps/authoring/CommentManagement.jsp Mon Mar 19 12:25:59 2007
> @@ -329,27 +329,27 @@
> <c:choose>
> <c:when test="${!empty comment.email && !empty comment.name}">
> <fmt:message key="commentManagement.commentByBoth" >
> - <fmt:param value="${comment.name}" />
> - <fmt:param value="${comment.email}" />
> + <fmt:param><c:out value="${comment.name}" /></fmt:param>
> + <fmt:param><c:out value="${comment.email}" /></fmt:param>
> <fmt:param value="mailto" />
> - <fmt:param value="${comment.remoteHost}" />
> + <fmt:param><c:out value="${comment.remoteHost}" /></fmt:param>
> </fmt:message>
> </c:when>
> <c:when test="${!empty comment.name}">
> <fmt:message key="commentManagement.commentByName" >
> - <fmt:param value="${comment.name}" />
> - <fmt:param value="${comment.remoteHost}" />
> + <fmt:param><c:out value="${comment.name}" /></fmt:param>
> + <fmt:param><c:out value="${comment.remoteHost}" /></fmt:param>
> </fmt:message>
> </c:when>
> <c:when test="${!empty comment.email}">
> <fmt:message key="commentManagement.commentByName" >
> - <fmt:param value="${comment.email}" />
> - <fmt:param value="${comment.remoteHost}" />
> + <fmt:param><c:out value="${comment.name}" /></fmt:param>
> + <fmt:param><c:out value="${comment.remoteHost}" /></fmt:param>
> </fmt:message>
> </c:when>
> <c:otherwise>
> <fmt:message key="commentManagement.commentByIP" >
> - <fmt:param value="${comment.remoteHost}" />
> + <fmt:param><c:out value="${comment.remoteHost}" /></fmt:param>
> </fmt:message>
> </c:otherwise>
> </c:choose>
>
> Modified: incubator/roller/branches/roller_3.1/web/WEB-INF/velocity/weblog.vm
> URL: http://svn.apache.org/viewvc/incubator/roller/branches/roller_3.1/web/WEB-INF/velocity/weblog.vm?view=diff&rev=520056&r1=520055&r2=520056
> ==============================================================================
> --- incubator/roller/branches/roller_3.1/web/WEB-INF/velocity/weblog.vm (original)
> +++ incubator/roller/branches/roller_3.1/web/WEB-INF/velocity/weblog.vm Mon Mar 19 12:25:59 2007
> @@ -160,11 +160,10 @@
> <br/>
> #foreach( $comment in $comments )
> #if($comment.approved || $model.commentForm.preview)
> - #set($content = $utils.encodeEmail($comment.content))
> #if($config.commentEscapeHtml)
> - #set($content = $utils.escapeHTML($content))
> + #set($content = $utils.escapeHTML($comment.content))
> #else
> - #set($content = $utils.transformToHTMLSubset($utils.escapeHTML($content)))
> + #set($content = $utils.transformToHTMLSubset($utils.escapeHTML($comment.content)))
> #end
> #if($config.commentAutoFormat)
> #set($content = $utils.autoformat($content))
> @@ -177,11 +176,11 @@
> <p class="comment-details">
> $text.get("macro.weblog.postedby")
> #if (!$utils.isEmpty($comment.name) && !$utils.isEmpty($comment.url))
> - <a rel="nofollow" href="$comment.url"><b>$comment.name</b></a>
> + <a rel="nofollow" href="$comment.url"><b>$utils.escapeHTML($comment.name)</b></a>
> #elseif (!$utils.isEmpty($comment.name))
> - <b>$comment.name</b>
> + <b>$utils.escapeHTML($comment.name)</b>
> #elseif ($comment.remoteHost)
> - <b>$comment.remoteHost</b>
> + <b>$utils.escapeHTML($comment.remoteHost)</b>
> #else
> <b>$text.get("macro.weblog.comment.unknown")</b>
> #end
> @@ -247,7 +246,12 @@
> </li>
> <li>
> <label class="desc">$text.get( "macro.weblog.yourcomment" )</label>
> - <textarea name="content" class="textarea large" cols="40" rows="10">$utils.escapeHTML($cform.content)</textarea>
> + #if($config.commentEscapeHtml)
> + #set($content = $utils.escapeHTML($cform.content))
> + #else
> + #set($content = $utils.transformToHTMLSubset($utils.escapeHTML($cform.content)))
> + #end
> + <textarea name="content" class="textarea large" cols="" rows="">$content</textarea>
> </li>
> <li class="info">
> <span class="comments-syntax-indicator">
>
> Modified: incubator/roller/trunk/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
> URL: http://svn.apache.org/viewvc/incubator/roller/trunk/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java?view=diff&rev=520056&r1=520055&r2=520056
> ==============================================================================
> --- incubator/roller/trunk/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java (original)
> +++ incubator/roller/trunk/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java Mon Mar 19 12:25:59 2007
> @@ -27,6 +27,7 @@
> import org.apache.roller.business.RollerFactory;
> import org.apache.roller.business.WeblogManager;
> import org.apache.roller.pojos.WeblogEntryData;
> +import org.apache.roller.util.Utilities;
>
>
> /**
> @@ -121,15 +122,15 @@
> * notify - if commenter wants to receive notifications
> */
> if(request.getParameter("name") != null) {
> - this.name = request.getParameter("name");
> + this.name = Utilities.removeHTML(request.getParameter("name"));
> }
>
> if(request.getParameter("email") != null) {
> - this.email = request.getParameter("email");
> + this.email = Utilities.removeHTML(request.getParameter("email"));
> }
>
> if(request.getParameter("url") != null) {
> - this.url = request.getParameter("url");
> + this.url = Utilities.removeHTML(request.getParameter("url"));
> }
>
> if(request.getParameter("content") != null) {
>
> Modified: incubator/roller/trunk/web/WEB-INF/jsps/authoring/CommentManagement.jsp
> URL: http://svn.apache.org/viewvc/incubator/roller/trunk/web/WEB-INF/jsps/authoring/CommentManagement.jsp?view=diff&rev=520056&r1=520055&r2=520056
> ==============================================================================
> --- incubator/roller/trunk/web/WEB-INF/jsps/authoring/CommentManagement.jsp (original)
> +++ incubator/roller/trunk/web/WEB-INF/jsps/authoring/CommentManagement.jsp Mon Mar 19 12:25:59 2007
> @@ -364,27 +364,27 @@
> <c:choose>
> <c:when test="${!empty comment.email && !empty comment.name}">
> <fmt:message key="commentManagement.commentByBoth" >
> - <fmt:param value="${comment.name}" />
> - <fmt:param value="${comment.email}" />
> + <fmt:param><c:out value="${comment.name}" /></fmt:param>
> + <fmt:param><c:out value="${comment.email}" /></fmt:param>
> <fmt:param value="mailto" />
> - <fmt:param value="${comment.remoteHost}" />
> + <fmt:param><c:out value="${comment.remoteHost}" /></fmt:param>
> </fmt:message>
> </c:when>
> <c:when test="${!empty comment.name}">
> <fmt:message key="commentManagement.commentByName" >
> - <fmt:param value="${comment.name}" />
> - <fmt:param value="${comment.remoteHost}" />
> + <fmt:param><c:out value="${comment.name}" /></fmt:param>
> + <fmt:param><c:out value="${comment.remoteHost}" /></fmt:param>
> </fmt:message>
> </c:when>
> <c:when test="${!empty comment.email}">
> <fmt:message key="commentManagement.commentByName" >
> - <fmt:param value="${comment.email}" />
> - <fmt:param value="${comment.remoteHost}" />
> + <fmt:param><c:out value="${comment.name}" /></fmt:param>
> + <fmt:param><c:out value="${comment.remoteHost}" /></fmt:param>
> </fmt:message>
> </c:when>
> <c:otherwise>
> <fmt:message key="commentManagement.commentByIP" >
> - <fmt:param value="${comment.remoteHost}" />
> + <fmt:param><c:out value="${comment.remoteHost}" /></fmt:param>
> </fmt:message>
> </c:otherwise>
> </c:choose>
>
> Modified: incubator/roller/trunk/web/WEB-INF/velocity/weblog.vm
> URL: http://svn.apache.org/viewvc/incubator/roller/trunk/web/WEB-INF/velocity/weblog.vm?view=diff&rev=520056&r1=520055&r2=520056
> ==============================================================================
> --- incubator/roller/trunk/web/WEB-INF/velocity/weblog.vm (original)
> +++ incubator/roller/trunk/web/WEB-INF/velocity/weblog.vm Mon Mar 19 12:25:59 2007
> @@ -179,11 +179,10 @@
> <br/>
> #foreach( $comment in $comments )
> #if($comment.approved || $model.commentForm.preview)
> - #set($content = $utils.encodeEmail($comment.content))
> #if($config.commentEscapeHtml)
> - #set($content = $utils.escapeHTML($content))
> + #set($content = $utils.escapeHTML($comment.content))
> #else
> - #set($content = $utils.transformToHTMLSubset($utils.escapeHTML($content)))
> + #set($content = $utils.transformToHTMLSubset($utils.escapeHTML($comment.content)))
> #end
> #if($config.commentAutoFormat)
> #set($content = $utils.autoformat($content))
> @@ -197,11 +196,11 @@
> <p class="comment-details">
> $text.get("macro.weblog.postedby")
> #if (!$utils.isEmpty($comment.name) && !$utils.isEmpty($comment.url))
> - <a rel="nofollow" href="$comment.url"><b>$comment.name</b></a>
> + <a rel="nofollow" href="$comment.url"><b>$utils.escapeHTML($comment.name)</b></a>
> #elseif (!$utils.isEmpty($comment.name))
> - <b>$comment.name</b>
> + <b>$utils.escapeHTML($comment.name)</b>
> #elseif ($comment.remoteHost)
> - <b>$comment.remoteHost</b>
> + <b>$utils.escapeHTML($comment.remoteHost)</b>
> #else
> <b>$text.get("macro.weblog.comment.unknown")</b>
> #end
> @@ -245,16 +244,15 @@
> <ul>
> <li>
> <label class="desc">$text.get( "macro.weblog.name" )</label>
> - <input type="text" name="name" class="text large" value="$cform.name" size="50" maxlength="255" />
> + <input type="text" name="name" class="text large" value="$utils.escapeHTML($cform.name)" size="50" maxlength="255" />
> </li>
>
> -
> <li><label class="desc">$text.get( "macro.weblog.email" )</label>
> - <input type="text" name="email" class="text large" value="$cform.email" size="50" maxlength="255" />
> + <input type="text" name="email" class="text large" value="$utils.escapeHTML($cform.email)" size="50" maxlength="255" />
> </li>
>
> <li><label class="desc">$text.get( "macro.weblog.url" )</label>
> - <input type="text" name="url" class="text large" value="$cform.url" size="50" maxlength="255" />
> + <input type="text" name="url" class="text large" value="$utils.escapeHTML($cform.url)" size="50" maxlength="255" />
> </li>
>
> #if ($config.commentEmailNotify)
> @@ -268,7 +266,14 @@
> </li>
> <li>
> <label class="desc">$text.get( "macro.weblog.yourcomment" )</label>
> - <textarea name="content" class="textarea large" cols="40" rows="10">$utils.escapeHTML($cform.content)</textarea>
> +
> + #if($config.commentEscapeHtml)
> + #set($content = $utils.escapeHTML($cform.content))
> + #else
> + #set($content = $utils.transformToHTMLSubset($utils.escapeHTML($cform.content)))
> + #end
> + <textarea name="content" class="textarea large" cols="40" rows="10">$utils.escapeHTML($content)</textarea>
> +
> </li>
> <li class="info">
> <span class="comments-syntax-indicator">
>
>