You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@roller.apache.org by mb...@apache.org on 2021/09/13 02:12:13 UTC

[roller] 03/10: TagDataServlet: Escape URIs for XML output to make CodeQL happy.

This is an automated email from the ASF dual-hosted git repository.

mbien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git

commit d673ecd72d45dd5ac576d968574f993eacc81622
Author: Michael Bien <mb...@gmail.com>
AuthorDate: Mon Aug 23 06:43:07 2021 +0200

    TagDataServlet: Escape URIs for XML output to make CodeQL happy.
    
    This is technically not needed, but CodeQL thinks those variables are client provided Strings,
    since one code path leads to the InitFilter. We do it anyway to fix 3 alerts + its trivial.
---
 .../apache/roller/weblogger/webservices/tagdata/TagDataServlet.java | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/src/main/java/org/apache/roller/weblogger/webservices/tagdata/TagDataServlet.java b/app/src/main/java/org/apache/roller/weblogger/webservices/tagdata/TagDataServlet.java
index 6ddb591..e239839 100644
--- a/app/src/main/java/org/apache/roller/weblogger/webservices/tagdata/TagDataServlet.java
+++ b/app/src/main/java/org/apache/roller/weblogger/webservices/tagdata/TagDataServlet.java
@@ -186,7 +186,7 @@ public class TagDataServlet extends HttpServlet {
                         0, true);
                 int frequency = stat.getCount();
                 pw.print("<atom:category term=\"" + term + "\" tagdata:frequency=\"" + frequency + "\" ");
-                pw.println("tagdata:href=\"" + viewURI + "\" />");
+                pw.println("tagdata:href=\"" + StringEscapeUtils.escapeXml10(viewURI) + "\" />");
                 if (count++ > MAX) {
                     break;
                 }
@@ -194,12 +194,12 @@ public class TagDataServlet extends HttpServlet {
             if (tags.size() > MAX) {
                 // get next URI, if site-wide then don't specify weblog
                 String nextURI = urlstrat.getWeblogTagsJsonURL(weblog, true, page + 1);
-                pw.println("<atom:link rel=\"next\" href=\"" + nextURI + "\" />");
+                pw.println("<atom:link rel=\"next\" href=\"" + StringEscapeUtils.escapeXml10(nextURI) + "\" />");
             }
             if (page > 0) {
                 // get prev URI, if site-wide then don't specify weblog
                 String prevURI = urlstrat.getWeblogTagsJsonURL(weblog, true, page - 1);
-                pw.println("<atom:link rel=\"previous\" href=\"" + prevURI + "\" />");
+                pw.println("<atom:link rel=\"previous\" href=\"" + StringEscapeUtils.escapeXml10(prevURI) + "\" />");
             }
             pw.println("</categories>");
             response.flushBuffer();