BF [ 2728388 ] - Fix potential CSS vulnerability

2009-04-03 15:15:26 +00:00 · 2009-04-03 15:15:26 +00:00 · 838ee9d116
parent 4bde069ba8
commit 838ee9d116
2 changed files with 7 additions and 4 deletions
--- a/serverApps/src/main/servlet/org/compiere/wstore/LocationServlet.java
+++ b/serverApps/src/main/servlet/org/compiere/wstore/LocationServlet.java
@ -32,13 +32,14 @@ import org.compiere.model.MLocation;
 import org.compiere.model.MRegion;
 import org.compiere.util.CLogger;
 import org.compiere.util.WebEnv;
-
+import org.compiere.util.Util;

 /**
 * 	Location Servlet
 *	
 *  @author Jorg Janke
 *  @version $Id: LocationServlet.java,v 1.5 2006/07/30 00:53:21 jjanke Exp $
+ *  @author Michael Judd BF [2728388] - fix potential CSS velnerability
 */
 public class LocationServlet extends HttpServlet
 {
@ -110,8 +111,9 @@ public class LocationServlet extends HttpServlet
        response.setCharacterEncoding("UTF-8");
        PrintWriter out = response.getWriter();

-
        String cmd = request.getParameter("cmd");
+        cmd = Util.maskHTML(cmd, true);
+        
        if(cmd == null)
        {
            out.println("<error>Unknown Request: NULL</error>");
@ -137,7 +139,7 @@ public class LocationServlet extends HttpServlet
                }
                out.println("</countries>");
            }else if(cmd.equalsIgnoreCase("regions")){
-                String country = request.getParameter("country");
+                String country = Util.maskHTML(request.getParameter("country"), true);
                try{
                    int countryId = Integer.parseInt(country);

--- a/serverApps/src/main/servlet/org/compiere/wstore/SearchServlet.java
+++ b/serverApps/src/main/servlet/org/compiere/wstore/SearchServlet.java
@ -45,6 +45,7 @@ import org.compiere.util.WebUtil;
 *	
 *  @author Jorg Janke
 *  @version $Id$
+ *  @author Michael Judd BF [2728388]  - fix potential CSS velnerability
 */
 public class SearchServlet extends HttpServlet
 {
@ -126,7 +127,7 @@ public class SearchServlet extends HttpServlet
        int warehouseID = WebUtil.getParameterAsInt(request, "warehouseID");
        int partnerID = WebUtil.getParameterAsInt(request, "partnerID");
        
-        String get = request.getParameter("get");
+        String get = Util.maskHTML(request.getParameter("get"), true);
        if(get == null)
        {
            out.println("<error>Unknown Request: NULL</error>");