You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@struts.apache.org by lu...@apache.org on 2013/10/18 10:10:08 UTC

svn commit: r1533354 - in /struts/struts2/trunk/plugins/config-browser/src/main/java/org/apache/struts2/config_browser: ActionNamesAction.java ShowConfigAction.java

Author: lukaszlenart
Date: Fri Oct 18 08:10:07 2013
New Revision: 1533354

URL: http://svn.apache.org/r1533354
Log:
WW-4213 Sanitises input param namespace to avoid XSS

Modified:
    struts/struts2/trunk/plugins/config-browser/src/main/java/org/apache/struts2/config_browser/ActionNamesAction.java
    struts/struts2/trunk/plugins/config-browser/src/main/java/org/apache/struts2/config_browser/ShowConfigAction.java

Modified: struts/struts2/trunk/plugins/config-browser/src/main/java/org/apache/struts2/config_browser/ActionNamesAction.java
URL: http://svn.apache.org/viewvc/struts/struts2/trunk/plugins/config-browser/src/main/java/org/apache/struts2/config_browser/ActionNamesAction.java?rev=1533354&r1=1533353&r2=1533354&view=diff
==============================================================================
--- struts/struts2/trunk/plugins/config-browser/src/main/java/org/apache/struts2/config_browser/ActionNamesAction.java (original)
+++ struts/struts2/trunk/plugins/config-browser/src/main/java/org/apache/struts2/config_browser/ActionNamesAction.java Fri Oct 18 08:10:07 2013
@@ -24,6 +24,7 @@ package org.apache.struts2.config_browse
 import com.opensymphony.xwork2.ActionSupport;
 import com.opensymphony.xwork2.config.entities.ActionConfig;
 import com.opensymphony.xwork2.inject.Inject;
+import org.apache.commons.lang3.StringEscapeUtils;
 import org.apache.struts2.StrutsConstants;
 
 import java.util.Set;
@@ -57,7 +58,7 @@ public class ActionNamesAction extends A
     }
 
     public void setNamespace(String namespace) {
-        this.namespace = namespace;
+        this.namespace = StringEscapeUtils.escapeEcmaScript(namespace);
     }
 
     @Inject(StrutsConstants.STRUTS_ACTION_EXTENSION)

Modified: struts/struts2/trunk/plugins/config-browser/src/main/java/org/apache/struts2/config_browser/ShowConfigAction.java
URL: http://svn.apache.org/viewvc/struts/struts2/trunk/plugins/config-browser/src/main/java/org/apache/struts2/config_browser/ShowConfigAction.java?rev=1533354&r1=1533353&r2=1533354&view=diff
==============================================================================
--- struts/struts2/trunk/plugins/config-browser/src/main/java/org/apache/struts2/config_browser/ShowConfigAction.java (original)
+++ struts/struts2/trunk/plugins/config-browser/src/main/java/org/apache/struts2/config_browser/ShowConfigAction.java Fri Oct 18 08:10:07 2013
@@ -27,6 +27,7 @@ import com.opensymphony.xwork2.inject.In
 import com.opensymphony.xwork2.util.logging.Logger;
 import com.opensymphony.xwork2.util.logging.LoggerFactory;
 import com.opensymphony.xwork2.util.reflection.ReflectionProvider;
+import org.apache.commons.lang3.StringEscapeUtils;
 
 import java.beans.PropertyDescriptor;
 import java.util.Set;
@@ -81,7 +82,7 @@ public class ShowConfigAction extends Ac
     }
 
     public void setNamespace(String namespace) {
-        this.namespace = namespace;
+        this.namespace = StringEscapeUtils.escapeEcmaScript(namespace);
     }
 
     public String getActionName() {