You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by cz...@apache.org on 2011/12/28 11:23:33 UTC

svn commit: r1225154 - /sling/trunk/bundles/jcr/resource/src/main/java/org/apache/sling/jcr/resource/internal/JcrResourceResolverWebConsolePlugin.java

Author: cziegeler
Date: Wed Dec 28 10:23:33 2011
New Revision: 1225154

URL: http://svn.apache.org/viewvc?rev=1225154&view=rev
Log:
SLING-2344 : Escape output of request paramters

Modified:
    sling/trunk/bundles/jcr/resource/src/main/java/org/apache/sling/jcr/resource/internal/JcrResourceResolverWebConsolePlugin.java

Modified: sling/trunk/bundles/jcr/resource/src/main/java/org/apache/sling/jcr/resource/internal/JcrResourceResolverWebConsolePlugin.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/jcr/resource/src/main/java/org/apache/sling/jcr/resource/internal/JcrResourceResolverWebConsolePlugin.java?rev=1225154&r1=1225153&r2=1225154&view=diff
==============================================================================
--- sling/trunk/bundles/jcr/resource/src/main/java/org/apache/sling/jcr/resource/internal/JcrResourceResolverWebConsolePlugin.java (original)
+++ sling/trunk/bundles/jcr/resource/src/main/java/org/apache/sling/jcr/resource/internal/JcrResourceResolverWebConsolePlugin.java Wed Dec 28 10:23:33 2011
@@ -36,6 +36,7 @@ import javax.servlet.http.HttpServletReq
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.sling.api.resource.ResourceResolver;
+import org.apache.sling.engine.ResponseUtil;
 import org.apache.sling.jcr.resource.internal.helper.MapEntries;
 import org.apache.sling.jcr.resource.internal.helper.MapEntry;
 import org.apache.sling.jcr.resource.internal.helper.URI;
@@ -139,8 +140,11 @@ public class JcrResourceResolverWebConso
         pw.println("<td class='content'>Test</td>");
         pw.print("<td class='content' colspan='2'>");
         pw.print("<form method='post'>");
-        pw.println("<input type='text' name='" + ATTR_TEST + "' value='" + (test != null ? test : "")
-            + "' class='input' size='50'>");
+        pw.print("<input type='text' name='" + ATTR_TEST + "' value='");
+        if ( test != null ) {
+            pw.print(ResponseUtil.escapeXml(test));
+        }
+        pw.println("' class='input' size='50'>");
         pw.println("&nbsp;&nbsp;<input type='submit' name='" + ATTR_SUBMIT
             + "' value='Resolve' class='submit'>");
         pw.println("&nbsp;&nbsp;<input type='submit' name='" + ATTR_SUBMIT
@@ -152,7 +156,9 @@ public class JcrResourceResolverWebConso
         if (msg != null) {
             pw.println("<tr class='content'>");
             pw.println("<td class='content'>&nbsp;</td>");
-            pw.println("<td class='content' colspan='2'>" + msg + "</td>");
+            pw.print("<td class='content' colspan='2'>");
+            pw.print(ResponseUtil.escapeXml(msg));
+            pw.println("</td>");
             pw.println("</tr>");
         }
 
@@ -209,7 +215,7 @@ public class JcrResourceResolverWebConso
                 // set the result to render the result
                 msg = result.toString();
 
-            } catch (Throwable t) {
+            } catch (final Throwable t) {
 
                 // some error occurred, report it as a result
                 msg = "Test Failure: " + t;