From 838ee9d11652350a5c7d8fc2d804253fe7ee00d5 Mon Sep 17 00:00:00 2001 From: mjudd Date: Fri, 3 Apr 2009 15:15:26 +0000 Subject: [PATCH] BF [ 2728388 ] - Fix potential CSS vulnerability --- .../main/servlet/org/compiere/wstore/LocationServlet.java | 8 +++++--- .../main/servlet/org/compiere/wstore/SearchServlet.java | 3 ++- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/serverApps/src/main/servlet/org/compiere/wstore/LocationServlet.java b/serverApps/src/main/servlet/org/compiere/wstore/LocationServlet.java index 414d35bcb7..514ef440f9 100644 --- a/serverApps/src/main/servlet/org/compiere/wstore/LocationServlet.java +++ b/serverApps/src/main/servlet/org/compiere/wstore/LocationServlet.java @@ -32,13 +32,14 @@ import org.compiere.model.MLocation; import org.compiere.model.MRegion; import org.compiere.util.CLogger; import org.compiere.util.WebEnv; - +import org.compiere.util.Util; /** * Location Servlet * * @author Jorg Janke * @version $Id: LocationServlet.java,v 1.5 2006/07/30 00:53:21 jjanke Exp $ + * @author Michael Judd BF [2728388] - fix potential CSS velnerability */ public class LocationServlet extends HttpServlet { @@ -110,8 +111,9 @@ public class LocationServlet extends HttpServlet response.setCharacterEncoding("UTF-8"); PrintWriter out = response.getWriter(); - String cmd = request.getParameter("cmd"); + cmd = Util.maskHTML(cmd, true); + if(cmd == null) { out.println("Unknown Request: NULL"); @@ -137,7 +139,7 @@ public class LocationServlet extends HttpServlet } out.println(""); }else if(cmd.equalsIgnoreCase("regions")){ - String country = request.getParameter("country"); + String country = Util.maskHTML(request.getParameter("country"), true); try{ int countryId = Integer.parseInt(country); diff --git a/serverApps/src/main/servlet/org/compiere/wstore/SearchServlet.java b/serverApps/src/main/servlet/org/compiere/wstore/SearchServlet.java index 87179802b7..03b93797bc 100644 --- a/serverApps/src/main/servlet/org/compiere/wstore/SearchServlet.java +++ b/serverApps/src/main/servlet/org/compiere/wstore/SearchServlet.java @@ -45,6 +45,7 @@ import org.compiere.util.WebUtil; * * @author Jorg Janke * @version $Id$ + * @author Michael Judd BF [2728388] - fix potential CSS velnerability */ public class SearchServlet extends HttpServlet { @@ -126,7 +127,7 @@ public class SearchServlet extends HttpServlet int warehouseID = WebUtil.getParameterAsInt(request, "warehouseID"); int partnerID = WebUtil.getParameterAsInt(request, "partnerID"); - String get = request.getParameter("get"); + String get = Util.maskHTML(request.getParameter("get"), true); if(get == null) { out.println("Unknown Request: NULL");