You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2006/01/17 22:52:05 UTC
svn commit: r369933 - in /tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples: cal/cal2.jsp security/protected/index.jsp

Author: markt
Date: Tue Jan 17 13:52:02 2006
New Revision: 369933

URL: http://svn.apache.org/viewcvs?rev=369933&view=rev
Log:
Fix XSS issues in examples.

Modified:
    tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/cal/cal2.jsp
    tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/security/protected/index.jsp

Modified: tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/cal/cal2.jsp
URL: http://svn.apache.org/viewcvs/tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/cal/cal2.jsp?rev=369933&r1=369932&r2=369933&view=diff
==============================================================================
--- tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/cal/cal2.jsp (original)
+++ tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/cal/cal2.jsp Tue Jan 17 13:52:02 2006
@@ -29,12 +29,12 @@
 
 <FONT SIZE=5> Please add the following event:
 <BR> <h3> Date <%= table.getDate() %>
-<BR> Time <%= time %> </h3>
+<BR> Time <%= util.HTMLFilter.filter(time) %> </h3>
 </FONT>
 <FORM METHOD=POST ACTION=cal1.jsp>
 <BR> 
 <BR> <INPUT NAME="date" TYPE=HIDDEN VALUE="current">
-<BR> <INPUT NAME="time" TYPE=HIDDEN VALUE=<%= time %>
+<BR> <INPUT NAME="time" TYPE=HIDDEN VALUE=<%= util.HTMLFilter.filter(time) %>
 <BR> <h2> Description of the event <INPUT NAME="description" TYPE=TEXT SIZE=20> </h2>
 <BR> <INPUT TYPE=SUBMIT VALUE="submit">
 </FORM>

Modified: tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/security/protected/index.jsp
URL: http://svn.apache.org/viewcvs/tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/security/protected/index.jsp?rev=369933&r1=369932&r2=369933&view=diff
==============================================================================
--- tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/security/protected/index.jsp (original)
+++ tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/security/protected/index.jsp Tue Jan 17 13:52:02 2006
@@ -49,11 +49,13 @@
   if (role.length() > 0) {
     if (request.isUserInRole(role)) {
 %>
-      You have been granted role <b><%= role %></b><br><br>
+      You have been granted role
+      <b><%= util.HTMLFilter.filter(role) %></b><br><br>
 <%
     } else {
 %>
-      You have <i>not</i> been granted role <b><%= role %></b><br><br>
+      You have <i>not</i> been granted role
+      <b><%= util.HTMLFilter.filter(role) %></b><br><br>
 <%
     }
   }
@@ -62,7 +64,7 @@
 To check whether your username has been granted a particular role,
 enter it here:
 <form method="GET" action='<%= response.encodeURL("index.jsp") %>'>
-<input type="text" name="role" value="<%= role %>">
+<input type="text" name="role" value="<%= util.HTMLFilter.filter(role) %>">
 </form>
 <br><br>
 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org