svn commit: r1887401 - /portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java

[ta...@apache.org]

Author: taylor
Date: Wed Mar 10 01:42:57 2021
New Revision: 1887401

URL: http://svn.apache.org/viewvc?rev=1887401&view=rev
Log:
improve XXS url attack filter

Modified:
    portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java

Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java?rev=1887401&r1=1887400&r2=1887401&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java (original)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java Wed Mar 10 01:42:57 2021
@@ -99,7 +99,11 @@ public class XXSUrlAttackFilter implemen
 		// catch 'jspage=/responsive/my-account2.psml%22;alert(/xss/);%22'
 		String[] parts = value.split("&");
 		for (String part : parts) {
-			String queryValue = part.split("=")[1].replaceAll("%22", "\"");
+		    String[] segments = part.split("=");
+		    if (segments.length <= 1) {
+		        continue;
+            }
+			String queryValue = segments[1].replaceAll("%22", "\"");
 			if (queryValue.matches("^\"(.*)\"$")) {
 				// properly quoted query value
 			} else if (queryValue.indexOf('"') != -1) {



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org