Author: chris.laprun(a)jboss.com
Date: 2009-01-30 18:17:10 -0500 (Fri, 30 Jan 2009)
New Revision: 12742
Modified:
branches/JBoss_Portal_Branch_2_7/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java
Log:
- Added more sanitization of parameter values. However, I am not too familiar with CMS so
I am not sure what the proper behavior should be there, or if the default values that I
give won't cause side-effects of their own... :(
Modified:
branches/JBoss_Portal_Branch_2_7/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java
===================================================================
---
branches/JBoss_Portal_Branch_2_7/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-30
23:16:48 UTC (rev 12741)
+++
branches/JBoss_Portal_Branch_2_7/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-30
23:17:10 UTC (rev 12742)
@@ -986,6 +986,8 @@
if (!item.isFormField())
{
String sFilename = item.getName();
+ sFilename = ParameterValidation.sanitizeFromPattern(sFilename,
CHECK_FOR_XSS_PATTERN, "");
+
if (!"".equals(sFilename))
{
int backslashIndex = sFilename.lastIndexOf("\\");
@@ -1047,21 +1049,23 @@
else
{
String fieldName = item.getFieldName();
+ String itemValue = item.getString(aReq.getCharacterEncoding());
+ itemValue = ParameterValidation.sanitizeFromPattern(itemValue,
CHECK_FOR_XSS_PATTERN, "");
if ("destination".equals(fieldName))
{
- sPath = item.getString(aReq.getCharacterEncoding());
+ sPath = itemValue;
}
else if ("description".equals(fieldName))
{
- sDescription = item.getString(aReq.getCharacterEncoding());
+ sDescription = itemValue;
}
else if ("title".equals(fieldName))
{
- sTitle = item.getString(aReq.getCharacterEncoding());
+ sTitle = itemValue;
}
else if ("language".equals(fieldName))
{
- sLanguage = item.getString(aReq.getCharacterEncoding());
+ sLanguage = itemValue;
}
}
}
Show replies by date