You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@roller.apache.org by ga...@apache.org on 2008/06/17 18:45:00 UTC
svn commit: r668737 -
/roller/trunk/apps/weblogger/src/java/org/apache/roller/weblogger/ui/rendering/model/SearchResultsModel.java
Author: gangolli
Date: Tue Jun 17 09:45:00 2008
New Revision: 668737
URL: http://svn.apache.org/viewvc?rev=668737&view=rev
Log:
Fix for injection problem in search. HTML is removed and remaining XML escaped before returning the term. The original raw term is still accessible using the property "rawTerm".
Modified:
roller/trunk/apps/weblogger/src/java/org/apache/roller/weblogger/ui/rendering/model/SearchResultsModel.java
Modified: roller/trunk/apps/weblogger/src/java/org/apache/roller/weblogger/ui/rendering/model/SearchResultsModel.java
URL: http://svn.apache.org/viewvc/roller/trunk/apps/weblogger/src/java/org/apache/roller/weblogger/ui/rendering/model/SearchResultsModel.java?rev=668737&r1=668736&r2=668737&view=diff
==============================================================================
--- roller/trunk/apps/weblogger/src/java/org/apache/roller/weblogger/ui/rendering/model/SearchResultsModel.java (original)
+++ roller/trunk/apps/weblogger/src/java/org/apache/roller/weblogger/ui/rendering/model/SearchResultsModel.java Tue Jun 17 09:45:00 2008
@@ -27,6 +27,7 @@
import java.util.TreeSet;
import org.apache.commons.collections.comparators.ReverseComparator;
import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang.StringEscapeUtils;
import org.apache.lucene.document.Document;
import org.apache.lucene.search.Hits;
import org.apache.roller.weblogger.WebloggerException;
@@ -47,6 +48,7 @@
import org.apache.roller.util.DateUtil;
import org.apache.roller.weblogger.business.URLStrategy;
import org.apache.roller.weblogger.util.I18nMessages;
+import org.apache.roller.weblogger.util.Utilities;
/**
@@ -232,6 +234,11 @@
public String getTerm() {
+ String query = searchRequest.getQuery();
+ return (query == null) ? "" : StringEscapeUtils.escapeXml(Utilities.escapeHTML(query));
+ }
+
+ public String getRawTerm() {
return (searchRequest.getQuery() == null) ? "" : searchRequest.getQuery();
}