4:58 a.m.
Author: thomas.heute(a)jboss.com
Date: 2010-03-30 05:58:37 -0400 (Tue, 30 Mar 2010)
New Revision: 2394
Modified:
portal/trunk/examples/extension/war/src/main/webapp/login/jsp/login.jsp
portal/trunk/examples/portal/war/src/main/webapp/login/jsp/login.jsp
portal/trunk/web/portal/src/main/webapp/login/jsp/login.jsp
Log:
GTNPORTAL-725: JAAS Servlet, XSS issue
Encoding the username before displaying it back to the user
Modified: portal/trunk/examples/extension/war/src/main/webapp/login/jsp/login.jsp
===================================================================
--- portal/trunk/examples/extension/war/src/main/webapp/login/jsp/login.jsp 2010-03-30
09:18:21 UTC (rev 2393)
+++ portal/trunk/examples/extension/war/src/main/webapp/login/jsp/login.jsp 2010-03-30
09:58:37 UTC (rev 2394)
@@ -25,6 +25,7 @@
<%@ page
import="org.exoplatform.services.resources.ResourceBundleService"%>
<%@ page import="java.util.ResourceBundle"%>
<%@ page import="org.exoplatform.web.login.InitiateLoginServlet"%>
+<%@ page import="org.gatein.common.text.EntityEncoder"%>
<%@ page language="java" %>
<%@ page contentType="text/html; charset=utf-8" %>
<%
@@ -67,6 +68,8 @@
<%/*Begin form*/%>
<%
if(username.length() > 0 || password.length() > 0) {
+ EntityEncoder encoder = EntityEncoder.FULL;
+ username = encoder.encode(username);
%>
<font color="red">Sign in failed. Wrong username or
password.</font><%}%>
<form name="loginForm" action="<%= contextPath +
"/login"%>" method="post" style="margin: 0px;">
Modified: portal/trunk/examples/portal/war/src/main/webapp/login/jsp/login.jsp
===================================================================
--- portal/trunk/examples/portal/war/src/main/webapp/login/jsp/login.jsp 2010-03-30
09:18:21 UTC (rev 2393)
+++ portal/trunk/examples/portal/war/src/main/webapp/login/jsp/login.jsp 2010-03-30
09:58:37 UTC (rev 2394)
@@ -25,6 +25,7 @@
<%@ page
import="org.exoplatform.services.resources.ResourceBundleService"%>
<%@ page import="java.util.ResourceBundle"%>
<%@ page import="org.exoplatform.web.login.InitiateLoginServlet"%>
+<%@ page import="org.gatein.common.text.EntityEncoder"%>
<%@ page language="java" %>
<%@ page contentType="text/html; charset=utf-8" %>
<%
@@ -67,6 +68,8 @@
<%/*Begin form*/%>
<%
if(username.length() > 0 || password.length() > 0) {
+ EntityEncoder encoder = EntityEncoder.FULL;
+ username = encoder.encode(username);
%>
<font color="red">Sign in failed. Wrong username or
password.</font><%}%>
<form name="loginForm" action="<%= contextPath +
"/login"%>" method="post" style="margin: 0px;">
Modified: portal/trunk/web/portal/src/main/webapp/login/jsp/login.jsp
===================================================================
--- portal/trunk/web/portal/src/main/webapp/login/jsp/login.jsp 2010-03-30 09:18:21 UTC
(rev 2393)
+++ portal/trunk/web/portal/src/main/webapp/login/jsp/login.jsp 2010-03-30 09:58:37 UTC
(rev 2394)
@@ -25,6 +25,7 @@
<%@ page
import="org.exoplatform.services.resources.ResourceBundleService"%>
<%@ page import="java.util.ResourceBundle"%>
<%@ page import="org.exoplatform.web.login.InitiateLoginServlet"%>
+<%@ page import="org.gatein.common.text.EntityEncoder"%>
<%@ page language="java" %>
<%
String contextPath = request.getContextPath() ;
@@ -69,6 +70,9 @@
<%/*Begin form*/%>
<%
if(username.length() > 0 || password.length() > 0) {
+ EntityEncoder encoder = EntityEncoder.FULL;
+ username = encoder.encode(username);
+
%>
<font
color="red"><%=res.getString("UILoginForm.label.SigninFail")%></font><%}%>
<form name="loginForm" action="<%= contextPath +
"/login"%>" method="post" style="margin: 0px;">
@@ -117,4 +121,4 @@
</div>
<span style="font-size: 11px; color: #3f3f3f; text-align:
center"><%=res.getString("UILoginForm.label.Copyright")%></span>
</body>
-</html>
\ No newline at end of file
+</html>