incubator-sling-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From thecarlh...@apache.org
Subject svn commit: r1293518 - /sling/trunk/bundles/servlets/get/src/main/java/org/apache/sling/servlets/get/impl/helpers/HtmlRendererServlet.java
Date Sat, 25 Feb 2012 02:05:56 GMT
Author: thecarlhall
Date: Sat Feb 25 02:05:56 2012
New Revision: 1293518

URL: http://svn.apache.org/viewvc?rev=1293518&view=rev
Log:
SLING-2427 Escape the resource metadata in HtmlRendererServlet to stop HTML injects via URL.

Modified:
    sling/trunk/bundles/servlets/get/src/main/java/org/apache/sling/servlets/get/impl/helpers/HtmlRendererServlet.java

Modified: sling/trunk/bundles/servlets/get/src/main/java/org/apache/sling/servlets/get/impl/helpers/HtmlRendererServlet.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/servlets/get/src/main/java/org/apache/sling/servlets/get/impl/helpers/HtmlRendererServlet.java?rev=1293518&r1=1293517&r2=1293518&view=diff
==============================================================================
--- sling/trunk/bundles/servlets/get/src/main/java/org/apache/sling/servlets/get/impl/helpers/HtmlRendererServlet.java
(original)
+++ sling/trunk/bundles/servlets/get/src/main/java/org/apache/sling/servlets/get/impl/helpers/HtmlRendererServlet.java
Sat Feb 25 02:05:56 2012
@@ -24,6 +24,7 @@ import java.util.Map;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.sling.api.SlingConstants;
 import org.apache.sling.api.SlingHttpServletRequest;
 import org.apache.sling.api.SlingHttpServletResponse;
@@ -102,7 +103,8 @@ public class HtmlRendererServlet extends
     private void printResourceInfo(PrintWriter pw, Resource r) {
         pw.println("<h1>Resource dumped by " + getClass().getSimpleName() + "</h1>");
         pw.println("<p>Resource path: <b>" + r.getPath() + "</b></p>");
-        pw.println("<p>Resource metadata: <b>" + r.getResourceMetadata()
+        pw.println("<p>Resource metadata: <b>"
+            + StringEscapeUtils.escapeHtml(String.valueOf(r.getResourceMetadata()))
             + "</b></p>");
 
         pw.println("<p>Resource type: <b>" + r.getResourceType() + "</b></p>");



Mime
View raw message