You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@roller.apache.org by ga...@apache.org on 2008/06/17 18:45:00 UTC

svn commit: r668737 - /roller/trunk/apps/weblogger/src/java/org/apache/roller/weblogger/ui/rendering/model/SearchResultsModel.java

Author: gangolli
Date: Tue Jun 17 09:45:00 2008
New Revision: 668737

URL: http://svn.apache.org/viewvc?rev=668737&view=rev
Log:
Fix for injection problem in search.  HTML is removed and remaining XML escaped before returning the term.  The original raw term is still accessible using the property "rawTerm".

Modified:
    roller/trunk/apps/weblogger/src/java/org/apache/roller/weblogger/ui/rendering/model/SearchResultsModel.java

Modified: roller/trunk/apps/weblogger/src/java/org/apache/roller/weblogger/ui/rendering/model/SearchResultsModel.java
URL: http://svn.apache.org/viewvc/roller/trunk/apps/weblogger/src/java/org/apache/roller/weblogger/ui/rendering/model/SearchResultsModel.java?rev=668737&r1=668736&r2=668737&view=diff
==============================================================================
--- roller/trunk/apps/weblogger/src/java/org/apache/roller/weblogger/ui/rendering/model/SearchResultsModel.java (original)
+++ roller/trunk/apps/weblogger/src/java/org/apache/roller/weblogger/ui/rendering/model/SearchResultsModel.java Tue Jun 17 09:45:00 2008
@@ -27,6 +27,7 @@
 import java.util.TreeSet;
 import org.apache.commons.collections.comparators.ReverseComparator;
 import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.lucene.document.Document;
 import org.apache.lucene.search.Hits;
 import org.apache.roller.weblogger.WebloggerException;
@@ -47,6 +48,7 @@
 import org.apache.roller.util.DateUtil;
 import org.apache.roller.weblogger.business.URLStrategy;
 import org.apache.roller.weblogger.util.I18nMessages;
+import org.apache.roller.weblogger.util.Utilities;
 
 
 /**
@@ -232,6 +234,11 @@
     
     
     public String getTerm() {
+        String query = searchRequest.getQuery();
+        return (query == null) ? "" : StringEscapeUtils.escapeXml(Utilities.escapeHTML(query));
+    }
+
+    public String getRawTerm() {
         return (searchRequest.getQuery() == null) ? "" : searchRequest.getQuery();
     }