You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by re...@apache.org on 2016/02/26 13:07:38 UTC
svn commit: r1732460 - in /jackrabbit/branches/2.0: ./
jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/io/DirListingExportHandler.java
Author: reschke
Date: Fri Feb 26 12:07:37 2016
New Revision: 1732460
URL: http://svn.apache.org/viewvc?rev=1732460&view=rev
Log:
JCR-3630: XSS in DirListingExportHandler (patch provided by lars krapf) (ported to 2.0)
Modified:
jackrabbit/branches/2.0/ (props changed)
jackrabbit/branches/2.0/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/io/DirListingExportHandler.java
Propchange: jackrabbit/branches/2.0/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Feb 26 12:07:37 2016
@@ -4,4 +4,4 @@
/jackrabbit/sandbox/JCR-1456:774917-886178
/jackrabbit/sandbox/JCR-2170:812417-816332
/jackrabbit/sandbox/tripod-JCR-2209:795441-795863
-/jackrabbit/trunk:891595,891629,892253,892263,894150-894151,896408,896513,896532,896857,896870,896876,896908,896940,896942-896943,896969,896977,897071,897836,897842,897858,897935,897983,897992-897993,897996,898002,898042,898267,898325,898540,898677,898699,898701,898715,898872,899102,899181,899391,899393-899394,899583,899594,899643,900305,900310,900314,900453,900702,900736,900762-900763,900767,900782,901095,901122,901139,901144,901170,901176,901191,901193,901196,901216,901228,901285,902058,902062,926324,928888,936668,955222,955229,955307,955852,965539,995406,995411-995412,996810,999298-999299,999965,1000912,1000947,1001707,1002065-1002066,1002084,1002101-1002102,1002168,1002170,1002589,1002608,1002657,1002729,1003423,1003470,1003542,1003773,1004182,1004184,1004223-1004224,1004652,1005057,1005112,1032621,1036117,1036336-1036337,1038201,1039064,1040090,1087304,1089436,1100242,1101046,1102601,1104027,1165609,1173196,1680757
+/jackrabbit/trunk:891595,891629,892253,892263,894150-894151,896408,896513,896532,896857,896870,896876,896908,896940,896942-896943,896969,896977,897071,897836,897842,897858,897935,897983,897992-897993,897996,898002,898042,898267,898325,898540,898677,898699,898701,898715,898872,899102,899181,899391,899393-899394,899583,899594,899643,900305,900310,900314,900453,900702,900736,900762-900763,900767,900782,901095,901122,901139,901144,901170,901176,901191,901193,901196,901216,901228,901285,902058,902062,926324,928888,936668,955222,955229,955307,955852,965539,995406,995411-995412,996810,999298-999299,999965,1000912,1000947,1001707,1002065-1002066,1002084,1002101-1002102,1002168,1002170,1002589,1002608,1002657,1002729,1003423,1003470,1003542,1003773,1004182,1004184,1004223-1004224,1004652,1005057,1005112,1032621,1036117,1036336-1036337,1038201,1039064,1040090,1087304,1089436,1100242,1101046,1102601,1104027,1165609,1173196,1506594,1680757
Modified: jackrabbit/branches/2.0/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/io/DirListingExportHandler.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.0/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/io/DirListingExportHandler.java?rev=1732460&r1=1732459&r2=1732460&view=diff
==============================================================================
--- jackrabbit/branches/2.0/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/io/DirListingExportHandler.java (original)
+++ jackrabbit/branches/2.0/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/io/DirListingExportHandler.java Fri Feb 26 12:07:37 2016
@@ -166,7 +166,7 @@ public class DirListingExportHandler imp
writer.print("/");
}
writer.print("\">");
- writer.print(label);
+ writer.print(Text.encodeIllegalXMLCharacters(label));
writer.print("</a></li>");
}
}
@@ -226,7 +226,7 @@ public class DirListingExportHandler imp
writer.print("<li><a href=\"");
writer.print(child.getHref());
writer.print("\">");
- writer.print(label);
+ writer.print(Text.encodeIllegalXMLCharacters(label));
writer.print("</a></li>");
}
writer.print("</ul><hr size=\"1\"><em>Powered by <a href=\"");