[jboss-cvs] JBossAS SVN: r95623 - branches/Branch_4_2/varia/src/resources/jmx/html.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Tue Oct 27 13:56:25 EDT 2009
Author: bshim
Date: 2009-10-27 13:56:25 -0400 (Tue, 27 Oct 2009)
New Revision: 95623
Modified:
branches/Branch_4_2/varia/src/resources/jmx/html/displayMBeans.jsp
Log:
JBAS-6866 sanitized user input by escaping special characters
Modified: branches/Branch_4_2/varia/src/resources/jmx/html/displayMBeans.jsp
===================================================================
--- branches/Branch_4_2/varia/src/resources/jmx/html/displayMBeans.jsp 2009-10-27 17:39:01 UTC (rev 95622)
+++ branches/Branch_4_2/varia/src/resources/jmx/html/displayMBeans.jsp 2009-10-27 17:56:25 UTC (rev 95623)
@@ -1,6 +1,26 @@
<%@page contentType="text/html"
import="java.net.*,java.util.*,org.jboss.jmx.adaptor.model.*,java.io.*"
%>
+
+<%!
+
+ /**
+ * * Translate HTML tags and single and double quotes.
+ * */
+ public String translateMetaCharacters(Object value)
+ {
+ if(value == null)
+ return null;
+
+ String s = String.valueOf(value);
+ String sanitizedName = s.replace("<", "<");
+ sanitizedName = sanitizedName.replace(">", ">");
+ sanitizedName = sanitizedName.replace("\"", """);
+ sanitizedName = sanitizedName.replace("\'", "'");
+ return sanitizedName;
+ }
+%>
+
<html>
<head>
<%
@@ -43,7 +63,9 @@
</table>
<hr>
<form action="HtmlAdaptor?action=displayMBeans" method="post" name="applyFilter" id="applyFilter">
-ObjectName Filter (e.g. "jboss:*", "*:service=invoker,*") :<input type="text" name="filter" size="40" value="<%= request.getAttribute("filter")%>" /><input type="submit" name="apply" value="ApplyFilter">
+ ObjectName Filter (e.g. "jboss:*", "*:service=invoker,*"):<br/>
+ <input type="text" name="filter" size="40" value="<%= translateMetaCharacters(request.getAttribute("filter"))%>" />
+ <input type="submit" name="apply" value="ApplyFilter">
<%
if (request.getAttribute("filterError") != null) {
out.println("<br/><span class='error'>"+request.getAttribute("filterError")+"</span>");
@@ -64,7 +86,7 @@
for(int d = 0; d < data.length; d ++)
{
String name = data[d].getObjectName().toString();
- String properties = data[d].getNameProperties();
+ String properties = translateMetaCharacters(data[d].getNameProperties());
%>
<li><a href="HtmlAdaptor?action=inspectMBean&name=<%= URLEncoder.encode(name) %>"><%= URLDecoder.decode(properties) %></a></li>
<%
More information about the jboss-cvs-commits
mailing list