You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2006/01/17 22:53:53 UTC
svn commit: r369935 - in
/tomcat/container/branches/tc4.1.x/webapps/examples/jsp: cal/cal2.jsp
security/protected/index.jsp
Author: markt
Date: Tue Jan 17 13:53:49 2006
New Revision: 369935
URL: http://svn.apache.org/viewcvs?rev=369935&view=rev
Log:
Fix XSS issues in examples.
Modified:
tomcat/container/branches/tc4.1.x/webapps/examples/jsp/cal/cal2.jsp
tomcat/container/branches/tc4.1.x/webapps/examples/jsp/security/protected/index.jsp
Modified: tomcat/container/branches/tc4.1.x/webapps/examples/jsp/cal/cal2.jsp
URL: http://svn.apache.org/viewcvs/tomcat/container/branches/tc4.1.x/webapps/examples/jsp/cal/cal2.jsp?rev=369935&r1=369934&r2=369935&view=diff
==============================================================================
--- tomcat/container/branches/tc4.1.x/webapps/examples/jsp/cal/cal2.jsp (original)
+++ tomcat/container/branches/tc4.1.x/webapps/examples/jsp/cal/cal2.jsp Tue Jan 17 13:53:49 2006
@@ -18,12 +18,12 @@
<FONT SIZE=5> Please add the following event:
<BR> <h3> Date <%= table.getDate() %>
-<BR> Time <%= time %> </h3>
+<BR> Time <%= util.HTMLFilter.filter(time) %> </h3>
</FONT>
<FORM METHOD=POST ACTION=cal1.jsp>
<BR>
<BR> <INPUT NAME="date" TYPE=HIDDEN VALUE="current">
-<BR> <INPUT NAME="time" TYPE=HIDDEN VALUE=<%= time %>
+<BR> <INPUT NAME="time" TYPE=HIDDEN VALUE=<%= util.HTMLFilter.filter(time) %>
<BR> <h2> Description of the event <INPUT NAME="description" TYPE=TEXT SIZE=20> </h2>
<BR> <INPUT TYPE=SUBMIT VALUE="submit">
</FORM>
Modified: tomcat/container/branches/tc4.1.x/webapps/examples/jsp/security/protected/index.jsp
URL: http://svn.apache.org/viewcvs/tomcat/container/branches/tc4.1.x/webapps/examples/jsp/security/protected/index.jsp?rev=369935&r1=369934&r2=369935&view=diff
==============================================================================
--- tomcat/container/branches/tc4.1.x/webapps/examples/jsp/security/protected/index.jsp (original)
+++ tomcat/container/branches/tc4.1.x/webapps/examples/jsp/security/protected/index.jsp Tue Jan 17 13:53:49 2006
@@ -34,11 +34,13 @@
if (role.length() > 0) {
if (request.isUserInRole(role)) {
%>
- You have been granted role <b><%= role %></b><br><br>
+ You have been granted role
+ <b><%= util.HTMLFilter.filter(role) %></b><br><br>
<%
} else {
%>
- You have <i>not</i> been granted role <b><%= role %></b><br><br>
+ You have <i>not</i> been granted role
+ <b><%= util.HTMLFilter.filter(role) %></b><br><br>
<%
}
}
@@ -47,7 +49,7 @@
To check whether your username has been granted a particular role,
enter it here:
<form method="GET" action='<%= response.encodeURL("index.jsp") %>'>
-<input type="text" name="role" value="<%= role %>">
+<input type="text" name="role" value="<%= util.HTMLFilter.filter(role) %>">
</form>
<br><br>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org